243f3743b7c0353104dffd185aa6d754407e7b31c3840e30fdc5ec66d7f1c11b

Analysis

max time kernel
154s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeChat.exe
Size

644KB
MD5

c608dfa29a249753b38ebad45f52cc68
SHA1

f7aacf4caf435dc3be1a40bb96019175d95567d8
SHA256

d6521203a3641f9606f146f4fc763be5b87fa058915c2eca0a7474c9d76b6ba7
SHA512

9f3107b14ecb5a0d233cf656577d7ba2776c8a9b3cb0448d295a9fe6733eec69b85b91bf1a60863e21634a72ae173f1030635285e13da14f343d318c134d1b4e
SSDEEP

6144:mQyk1xZBq65kzLy9tEoEtKE0raGrm+BhK629PRwY+:mQy2Zo65kzLy92oIt0rrXIk9

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WeChat.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WeChat.exe

Executes dropped EXE 5 IoCs

pid	Process
1828	WeChatAppEx.exe
2780	WechatAppEx.exe
1836	WeChatAppEx.exe
2148	WeChatAppEx.exe
2152	WeChatAppEx.exe

Loads dropped DLL 43 IoCs

pid	Process
2028	WeChat.exe
2028	WeChat.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
2780	WechatAppEx.exe
2780	WechatAppEx.exe
2780	WechatAppEx.exe
2780	WechatAppEx.exe
2780	WechatAppEx.exe
2780	WechatAppEx.exe
1836	WeChatAppEx.exe
1836	WeChatAppEx.exe
1836	WeChatAppEx.exe
1836	WeChatAppEx.exe
1836	WeChatAppEx.exe
1836	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2148	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe
2152	WeChatAppEx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WechatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WechatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	WeChat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	WeChat.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\shell\open\command	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\" \"%1\""	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\URL Protocol = "weixinProtocol"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\DefaultIcon	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe,1"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\shell	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\shell\open	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\weixin\ = "weixinProtocol"	WeChat.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2028	WeChat.exe
2028	WeChat.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe
2028	WeChat.exe
2028	WeChat.exe
2028	WeChat.exe
1828	WeChatAppEx.exe
1828	WeChatAppEx.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe
Token: SeShutdownPrivilege	1828	WeChatAppEx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2968	2028	WeChat.exe	29
PID 2028 wrote to memory of 2968	2028	WeChat.exe	29
PID 2028 wrote to memory of 2968	2028	WeChat.exe	29
PID 2028 wrote to memory of 1828	2028	WeChat.exe	31
PID 2028 wrote to memory of 1828	2028	WeChat.exe	31
PID 2028 wrote to memory of 1828	2028	WeChat.exe	31
PID 1828 wrote to memory of 2780	1828	WeChatAppEx.exe	32
PID 1828 wrote to memory of 2780	1828	WeChatAppEx.exe	32
PID 1828 wrote to memory of 2780	1828	WeChatAppEx.exe	32
PID 1828 wrote to memory of 1836	1828	WeChatAppEx.exe	33
PID 1828 wrote to memory of 1836	1828	WeChatAppEx.exe	33
PID 1828 wrote to memory of 1836	1828	WeChatAppEx.exe	33
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2148	1828	WeChatAppEx.exe	34
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35
PID 1828 wrote to memory of 2152	1828	WeChatAppEx.exe	35

C:\Users\Admin\AppData\Local\Temp\WeChat.exe
"C:\Users\Admin\AppData\Local\Temp\WeChat.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe
  C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=crash_notify=1 "--annotation=ext_info={\"app_call_name\":\"微信\",\"app_name\":\"WechatWindows\",\"app_path\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\",\"dwbuild\":\"19\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\crash\",\"major_ver\":\"3\",\"minor_ver\":\"2\",\"module_name\":\"Wechat_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\[3.9.11.19]\",\"product\":\"WECHAT\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"3\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=product=WECHAT --initial-client-data=0x2f4,0x2f8,0x2fc,0x300,0x2ec,0x308,0x7fef73ae3f8,0x7fef73ae438,0x7fef73ae468
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --log-level=2 --helper-handle-value=584830444 --wechat-files-path="C:\Users\Admin\Documents\WeChat Files\\" --product-id=1000 --wechat-sub-user-agent="MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090b13)" --wmpf_extra_config="{ \"reportId\":-1, \"version\":9129 }" --web-translate --client_version=1661537043 --mojo-platform-channel-handle=2524
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe
    C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe --type=crashpad-handler --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=crash_notify=0 "--annotation=ext_info={\"app_call_name\":\"\",\"app_path\":\"\",\"ext_param1\":\"2.1.1.9129\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\radium\\web\\crash\",\"module_name\":\"XWeb_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\XPlugin\\Plugins\\RadiumWMPF\\9129\\extracted\\runtime\",\"product\":\"browser\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"1\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=product=browser --initial-client-data=0x3b8,0x3bc,0x3c0,0x3c4,0x3b4,0x3c8,0x14aa661d8,0x14aa66218,0x14aa66248
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2780
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --ignore-certificate-errors --log-level=2 --ignore-certificate-errors --client_version=1661537043 --product-id=1000 --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1296 --field-trial-handle=1672,i,17381621325138828458,9820666737786862886,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1836
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1692 --field-trial-handle=1672,i,17381621325138828458,9820666737786862886,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2148
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1736 --field-trial-handle=1672,i,17381621325138828458,9820666737786862886,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
20782d2c8ec7aabb58a7ecfefc9c5d54

SHA1
951c438b3aadb19a52e3cbf4777228862a5b583d

SHA256
bf0c61e25f434bc08be2a0a559d2be3fcc79613a1f1e03e13b26ab69e03ba076

SHA512
6e11c3aac7705e6e9a6f14af6d5a72352d53725b83f0cfaa5426baeae720b3caaa7df782a5754819a3b664cd05fbd662c749f2fb25d46d9d022fd161d2d487ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_837D0571916000821A35A6BC6DEA7DBF

Filesize
727B

MD5
8af0d784bc7b326408b525b00279bf7b

SHA1
0e237649ce35369f61b8884c441e33eb3a2ed694

SHA256
c93019d576d2e4449d5fc34c931da70c3b1535fbe69fce892267f2f85c857b25

SHA512
e1e0ee9b5031ad2a8fd031c5aabc3ee1611ac04e5c26b6e38d856a33ebc57fa22341c63ee01810e77f6a34a13929a11d4f87b0baccee55912cb80e381ac27f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
f25d7a8f1e6007e05df6b34bc8b89fa4

SHA1
f4e02d2aed168a9e80ac9851be92f707fabfa6fb

SHA256
55f37c481e375f028c6d4c393e106352f86b5770e7d4b52524dd944e03d6ac12

SHA512
bbfd02becb563730712b10efeb3916a2a92d29c408682cff9dc5d9b7c58f787ab47ec2e9d314a7f8808d165bc969bdc2f01333c5822e555d88a0c833567fc81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
293f90ddc0cf2d3b7dc5e75dddf2127f

SHA1
63d365f5161b7f0cbaf6c1829198de7301177345

SHA256
74eefde1147814b1a843b9980a7b89b2a687bd525b7b129080c249ee182ca7ae

SHA512
202acea09e0499a835aeebc06a43da20223c59798a2ac81963862045d0f50958bd08e6d3834d4fbc75d2773f9f6b907177425f70d97a399d2d6b04c3145343bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_837D0571916000821A35A6BC6DEA7DBF

Filesize
404B

MD5
982b55b12a2c671ffd1075260200a7db

SHA1
332044408e7181fa123d76c367190c0bab45223b

SHA256
ce9ef6765650e2bee096a16fa29a188ad67eac07510ec4a01f63105a2f55bd21

SHA512
11c8e28a8cddf45c0b81206ea7032580985e558273b6ef618d22d9ace062cce5f7c233c43a646bca68377e452ab6799f69486d39832a72395575d6ab1504cff3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ff90b3bf60f5e36586031cc6b0d310d

SHA1
9b65ee0d1cb3605e22ad7d39f9234989850284ba

SHA256
53b4db7a291c4cf8ee26b299ab0d2e11fcecec6c36e819b51523be8886c9fd7b

SHA512
6a4b017234e7fc9f0a5f6c9ba6cea086c34d0ffc4a6c583de8ab5106f35e33375ffc892ee30df97120a1ec2199df56a0025f8a2d25976bcd22d3fa2f34becd27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7df4b07ab02a039c1a4cb242fd84be8

SHA1
740f3a0a07ea308aae0f9ac43afb29c861410d0c

SHA256
9d96f8cecdd1ec45cf518ad0992bfed1b74ab90ca5b70a075e851b27f885a270

SHA512
486af8c87caa77864a51bdbf9da79b7bc93c655749cc6151a924733b9a78f67a8e7d17f12082d291fc44e0e118e51cf65deb5b887bf9ca20b8eb4fb3bb411a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc6a6a0f1ad02d046264cf27a06357e2

SHA1
252c63672295f8649948b87693c06bff8c2f7d3d

SHA256
3bbaa0170d1a504b6e457ff8b8d0de576477f52e2b0e942d4ad8e807e676afe4

SHA512
280b6fc86a6453f94dde73b9bbdc3d5d63217f21ea27460b255850e55baf69a878b6dc6b587ed58a440ee70876e795fcd9d75ba3ff58a605bf31340150f8e5d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cc0f9217c8722e30cd47e807ebe5fed

SHA1
149ae66604ee01122c281ac6623efc4602f0d695

SHA256
c28a6f0f97d1f14f55b7853992ba204b3c07d219076f521523fdecf96a18c29c

SHA512
4f252b5dfe5a93038b360b66bf87ec193ecf563cb83f4262975276dfe6f4151010bd8bf762ea7877f404b2f29cb8b1c5192e3865963ed61dcf11645fa48b533e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
22dcba72d128e2dd991c3ae0a4e631bc

SHA1
c2f776c03f73cf7fcc491145220708c1c07c1d45

SHA256
b0f8aeed8b058db21905aa467c5ce78816b7537bcab15adb71aff7b54f7c674a

SHA512
4a20cdb277cd17dad8cba04112772074ac72b5a56a6a53f171a98c280e38d06acfd02bec67467fe7587e2b6ca61c0c5b6faaa9f7936560cf98e6770c347224c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab585F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar61B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\locales\zh-CN.pak

Filesize
179KB

MD5
e91e56b3e5f7e4faf023cb60cf23f42c

SHA1
42a6b324620e13168567c5fcde3d3c06abbc11ec

SHA256
4f8420e5e9ccc7800d7b308809594afcb3a78494faf9a6a6f41fefac8106684a

SHA512
5e0491b8ffe6e4181f44a74958bbeeeaea948da9a1c4d849261c1051fecfad83a25e9973499be087c0d83085e3650ba9eca064b0cc9de5ecdbe15f98410273d3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\v8_context_snapshot.bin

Filesize
582KB

MD5
7de432e3cef399a79cc2a6a30415d5c0

SHA1
88b7792bbfbef3c64cd8a155875348279faddfa6

SHA256
25851c7b84d6a7f4a723e9a5d9ad6d7bcebe3d2205416127f183ead6a1431582

SHA512
f8a6c84903e8369e781761a417a45c67be9b5f3e28007c7ea80b487ed9fbf15b095d7eff274eb800dfe112af5cc957f06df254bcf6d0fb5da39dca083931ce79

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_100_percent.pak

Filesize
1.3MB

MD5
39c5cec8fd9f3ef620c4d35770ce2d24

SHA1
ade3245d10f3d2f826035a97bc835a2f9078770a

SHA256
9ebda78dd4a6b6c5f10942f1a9fba39a947fa70ef5d7e10ab0821f5427f89c26

SHA512
5e603ed71c9b9e94372df1a06be669bde814838a8ee602f93600ec80cfa75d2fb4bb90faa979708c4b3c18a05ccd8e139b7ad7a7dbc85ee2a0fa5e0c108b44d1

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_200_percent.pak

Filesize
1.5MB

MD5
c62d68860fbd3caeb667dcde7b0aee43

SHA1
3792283f559af312541a761e3ec4dd55a93f9c7a

SHA256
ae7b81add4db941522de8d64ad245d1ef44f265ff5e09c98c4beec0712c53ad1

SHA512
9cc0ad9a1cb6d7f4e060299b2185e0878ba0e3021649cdc5790851a995456fb9d465a453823e14847b240df64cf80e87ae8e7b8e563184dfbb6c9b73030c7f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_resources.pak

Filesize
15.3MB

MD5
bfe5ec4f37be87078b25ec493556cb59

SHA1
067808488460373098f034e6e12c9c6518c296d5

SHA256
71da4e340d3d6036d7dce94b0a797aab05eae8f840852cd7e94c5e742abb3513

SHA512
a72b3ef7f4c648338b04a30b3106b81ab2a1c621e316d9312c85795899ee8a1e77e19cb91c911b4b8ae3beb543c33033744dcd9c95c861192fa70703004131b9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xweb_elf.dll

Filesize
1.3MB

MD5
ae0d7f602b0f65b444012b68a3efbace

SHA1
f264e0878fbd60eb3df79151fc44a0fe7e2bef10

SHA256
240b4f3823f24dcd8bd212cbbbf0391f8bbb9fe215f2d83f4122d5251bce8167

SHA512
238db671124621b009bf1979e81bcfdf6cdb8a43a28ade1699a5182c8632f05f485c1f358fda0eb1815dd54b5b99d3fe432eb04b9d0ca94bb3ebe29f0046b48d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash\settings.dat

Filesize
40B

MD5
69c1590003e858bf460fb2b22ef398bc

SHA1
6e9333bf33ef5755f7d43f7ad6bca5697e2ffb00

SHA256
0f2f58fae7775b771d646c6f4556558c621fa634efac7a49ca5f589c4b426eb9

SHA512
7644661418312e934b1abe9e39b666d6c53f10f64897a8dee683fcc61cc1ea647ffa483e4f8569cc1c3f5d00bd5d638b03ea4ec2190be3306c7cafc91df9e962

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\log\MM_20240710.xlog

Filesize
54KB

MD5
737e7f3ee0bbfd40ccf7ff77e0e1ac8d

SHA1
7afee296b4a73f201936a8ff47eddaf4a460dadc

SHA256
abe758a38134a1eed64d067d6386f4c65f7362a654570a3aab66c697b3a42a59

SHA512
f49a899a45bac594a6d342cb317517e515c81c29a1180a1040623b0b2069199c85a5d8242dab5eacc5ce76e1150d2cdc5fd884c30a18008246f513a2a1b735cf

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\host\wmpf_host_export_x64.dll

Filesize
2.2MB

MD5
b40939c7bc8aee66e769270fd95098c7

SHA1
89561e56c2e8e675ff91f855a4932e77a01a0dc7

SHA256
b1d14f9ef577e623a86a526243bed3b2cc6ef6beaeb9f9b5f4f892c4c26f624f

SHA512
7e8623757ff22908502605aecc8ec14c5398983a0ddadb724724be68652d0b11c7263e543e34bb5eaa68b5604934ab7baeff7042f5292546669527cef57a6e10

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ComponentVerification.dll

Filesize
177KB

MD5
0d75a290e23672b0cacb6765fe7d5bbf

SHA1
a3c2bc04dfda36c307872fd6479786aba743d4eb

SHA256
e8930e3fbc53804235e429311b708b09d0865017ca38af8b976cc02bf9fd2e9c

SHA512
b05c85a4f73f17d677fbadd6dba0b9c111aa366eebe68f64b6d6c7f1e4b532c4ae45365d2076feba4368726a996159663e31536b0dd6b5df8939fc7412a19bc4

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WXAMSDK.dll

Filesize
10.5MB

MD5
cf7010a4e2bdf8d5edda4f8e262d0376

SHA1
ea9e3e65492b952570d0e2b283520b950c60f4dc

SHA256
7298dc73774caf86ce1dea83570414ff0fe6156854119c6f286d248fb49dc04e

SHA512
0962bb107c83cd5bc6f67e63c5eb9aef2192c11bb1494efe056153e3aa1c934f7a6f681f88fd378af626bd6173aea6a68790fcb1d6e9330ab45b323a41d9f0f4

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ffmpeg.dll

Filesize
2.8MB

MD5
58f020c5255c67b2a5bbc7b26040cbbd

SHA1
b8745dc4fd62d3f5dde72579ead044a8a15885f2

SHA256
2408e9f4393e8eb1fc086c37d2819fb45d51605a1fe889c7685a2d8e87e25096

SHA512
4e719c51d68b49abbc4c49edefb67faa734a04eb256527a533bbdbcaa3ddd7e926ed6ccbd3d1de2e863b937b65b9cde846db39409e1bcec30cb96a846e721ecd

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ilink2.dll

Filesize
6.2MB

MD5
fc282b9c0aa206bf34da78b1b049007a

SHA1
a1a531a716176a653122f4d11cd1d8481fe1462e

SHA256
d7a5d0dd4e90e649bd99a906b7dfa77dc97bd71966e37f4b4e9cbdec8e94ee02

SHA512
19cb2f8e4e0532eed8dc868a2a45581d299069526197b61d4b30a03e3a3013bad7d29a710e714080287c62228399c4e6f9413ca0094c3ee794a6ffd15218fcda

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libEGL.dll

Filesize
477KB

MD5
e381309379d235116340a16c2cc745fa

SHA1
13624426770cf860b4c6ade31525c33e72fbbb55

SHA256
d21952a8255f306f2bfc31e6da452ac1e4714ba76bd0384491ac72a9d84fc871

SHA512
08fe7be13f4e5054f4e8b4067a1231e68618a18866115623a4cc407c098b6c547cff86f6d07445d91f5a3b5ff9cc02e499b124f02e4135cfbc5da9cfc7c8a13f

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libGLESv2.dll

Filesize
7.1MB

MD5
29a0349ac0c14b5ef70bc1ddfb61321b

SHA1
c7d0bd7b74cbe2a3740d55a76eb35569a87e9cae

SHA256
c80543ccc5d7f2561ad2fff83eb08887c6ecb654eb3c49e449237f5b610378a4

SHA512
c802e88ed2a6a135d9ffa1231593e68588488942f6b7665157a88b0f459fba89c824f557418535016493e69ca12fc3c2f7e643468f24adcc7586624eb26373e3

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\owl.dll

Filesize
1.1MB

MD5
cf6121452909699caefff77cd0086cf9

SHA1
a52ff34376b860d1e408962774129971c431e8da

SHA256
2c48d500c518f8ba751754228d406212141c22192d23c8a6d424fcf552cf696d

SHA512
07824e2ba2b99fa70cb98bc9b7a7b856e4900da965b73fde5f7048c74027687cae6d4137ed1dc08e9fdf2adb884b9763822aa06b694f2cd9e4842cd4529b1a5c

Download Submit
memory/1828-227-0x000007FEBD960000-0x000007FEBD970000-memory.dmp

Filesize
64KB

Download
memory/2148-297-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download