243f3743b7c0353104dffd185aa6d754407e7b31c3840e30fdc5ec66d7f1c11b

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeChat.exe
Size

644KB
MD5

c608dfa29a249753b38ebad45f52cc68
SHA1

f7aacf4caf435dc3be1a40bb96019175d95567d8
SHA256

d6521203a3641f9606f146f4fc763be5b87fa058915c2eca0a7474c9d76b6ba7
SHA512

9f3107b14ecb5a0d233cf656577d7ba2776c8a9b3cb0448d295a9fe6733eec69b85b91bf1a60863e21634a72ae173f1030635285e13da14f343d318c134d1b4e
SSDEEP

6144:mQyk1xZBq65kzLy9tEoEtKE0raGrm+BhK629PRwY+:mQy2Zo65kzLy92oIt0rrXIk9

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WeChat.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WeChat.exe

Executes dropped EXE 5 IoCs

pid	Process
1692	WeChatAppEx.exe
1044	WechatAppEx.exe
1892	WeChatAppEx.exe
2480	WeChatAppEx.exe
4368	WeChatAppEx.exe

Loads dropped DLL 36 IoCs

pid	Process
1816	WeChat.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1044	WechatAppEx.exe
1044	WechatAppEx.exe
1044	WechatAppEx.exe
1044	WechatAppEx.exe
1044	WechatAppEx.exe
1044	WechatAppEx.exe
1892	WeChatAppEx.exe
1892	WeChatAppEx.exe
1892	WeChatAppEx.exe
1892	WeChatAppEx.exe
1892	WeChatAppEx.exe
1892	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
2480	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WechatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WechatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	WeChat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	WeChat.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\" \"%1\""	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\ = "weixinProtocol"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\shell	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\shell\open	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\URL Protocol = "weixinProtocol"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\DefaultIcon	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe,1"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\weixin\shell\open\command	WeChat.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1816	WeChat.exe
1816	WeChat.exe
1692	WeChatAppEx.exe
1692	WeChatAppEx.exe
1816	WeChat.exe
1816	WeChat.exe
1816	WeChat.exe
4368	WeChatAppEx.exe
4368	WeChatAppEx.exe
1816	WeChat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe
Token: SeShutdownPrivilege	1692	WeChatAppEx.exe
Token: SeCreatePagefilePrivilege	1692	WeChatAppEx.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 3936	1816	WeChat.exe	82
PID 1816 wrote to memory of 3936	1816	WeChat.exe	82
PID 1816 wrote to memory of 1692	1816	WeChat.exe	86
PID 1816 wrote to memory of 1692	1816	WeChat.exe	86
PID 1692 wrote to memory of 1044	1692	WeChatAppEx.exe	87
PID 1692 wrote to memory of 1044	1692	WeChatAppEx.exe	87
PID 1692 wrote to memory of 1892	1692	WeChatAppEx.exe	88
PID 1692 wrote to memory of 1892	1692	WeChatAppEx.exe	88
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 2480	1692	WeChatAppEx.exe	89
PID 1692 wrote to memory of 4368	1692	WeChatAppEx.exe	91
PID 1692 wrote to memory of 4368	1692	WeChatAppEx.exe	91

C:\Users\Admin\AppData\Local\Temp\WeChat.exe
"C:\Users\Admin\AppData\Local\Temp\WeChat.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe
  C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=crash_notify=1 "--annotation=ext_info={\"app_call_name\":\"微信\",\"app_name\":\"WechatWindows\",\"app_path\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\",\"dwbuild\":\"19\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\crash\",\"major_ver\":\"3\",\"minor_ver\":\"2\",\"module_name\":\"Wechat_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\[3.9.11.19]\",\"product\":\"WECHAT\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"3\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=product=WECHAT --initial-client-data=0x488,0x48c,0x490,0x494,0x484,0x498,0x7ffdc42ae3f8,0x7ffdc42ae438,0x7ffdc42ae468
  2⤵
  PID:3936
- C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --log-level=2 --helper-handle-value=191077880 --wechat-files-path="C:\Users\Admin\Documents\WeChat Files\\" --product-id=1000 --wechat-sub-user-agent="MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090b13)" --wmpf_extra_config="{ \"reportId\":-1, \"version\":9129 }" --web-translate --client_version=1661537043 --mojo-platform-channel-handle=2632
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe
    C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe --type=crashpad-handler --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=crash_notify=0 "--annotation=ext_info={\"app_call_name\":\"\",\"app_path\":\"\",\"ext_param1\":\"2.1.1.9129\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\radium\\web\\crash\",\"module_name\":\"XWeb_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\XPlugin\\Plugins\\RadiumWMPF\\9129\\extracted\\runtime\",\"product\":\"browser\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"1\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=product=browser --initial-client-data=0x540,0x544,0x548,0x54c,0x53c,0x550,0x7ff667dd61d8,0x7ff667dd6218,0x7ff667dd6248
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1044
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --log-level=2 --client_version=1661537043 --product-id=1000 --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=2372 --field-trial-handle=2392,i,14816767807761200056,15185841392195108516,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1892
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=2492 --field-trial-handle=2392,i,14816767807761200056,15185841392195108516,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2480
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=3000 --field-trial-handle=2392,i,14816767807761200056,15185841392195108516,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\file_component.xml

Filesize
9KB

MD5
00cef350b5a33788ebd5d491201ce9d6

SHA1
e6f5ce896007537e4750ee56ebdaefa3358fb5fc

SHA256
84714775e6a9aef7675b9d4b55a52e66d3c4d869d28aa0d79aac345c4454525d

SHA512
750af01aa95565b56ba6e26c292ee7266fd2b8f5728e82f77ab8f9ba85f300e4e14c0edb631a83e5227a69ffe42894884a31a6a89c6c2afe0f161a26756afede

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\host\wmpf_host_export.dll

Filesize
1.8MB

MD5
7375881455007f3cba816a36763fe3ee

SHA1
e11cbe867798cee6751d29d58e2a6a58051117fb

SHA256
87309dda6684c05a103a623b8ac40be683d006bdbfa3880f8e512a4d5b38911c

SHA512
987a1a3223fbbdd49b223b8782dc5253deb1eba81695a1d8ebdef61b4040c42917368ae589f2f2ca8e310faa255a8e4e0414eb36076a2d030505bb41a9baf095

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\host\wmpf_host_export_x64.dll

Filesize
2.2MB

MD5
b40939c7bc8aee66e769270fd95098c7

SHA1
89561e56c2e8e675ff91f855a4932e77a01a0dc7

SHA256
b1d14f9ef577e623a86a526243bed3b2cc6ef6beaeb9f9b5f4f892c4c26f624f

SHA512
7e8623757ff22908502605aecc8ec14c5398983a0ddadb724724be68652d0b11c7263e543e34bb5eaa68b5604934ab7baeff7042f5292546669527cef57a6e10

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ComponentVerification.dll

Filesize
177KB

MD5
0d75a290e23672b0cacb6765fe7d5bbf

SHA1
a3c2bc04dfda36c307872fd6479786aba743d4eb

SHA256
e8930e3fbc53804235e429311b708b09d0865017ca38af8b976cc02bf9fd2e9c

SHA512
b05c85a4f73f17d677fbadd6dba0b9c111aa366eebe68f64b6d6c7f1e4b532c4ae45365d2076feba4368726a996159663e31536b0dd6b5df8939fc7412a19bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ConfSdk.dll

Filesize
1.2MB

MD5
274869617234ebc5898f0cb2cfb97d35

SHA1
fb85813617a1eb8471db60575d987b84998a00dd

SHA256
f5acdfe06709aa9af043f562d6a6abb0162d05264a96444d72e1db88d3908f62

SHA512
5ccf6e64b162b4e494ffd981209c9ef520b3b83d9aeff7e7b503462177bf865a8ac4b179080c6e47e9a53f16279ab98226d1521aa525c3721500ca1852296dac

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\VoipEngine.dll

Filesize
14.6MB

MD5
8fe01bf7dc6c696b8df7a6225508703b

SHA1
be8ce7cb4162c9eae5921a5e37535b3b95c4b816

SHA256
0e5aac62ec8eb64804e78db6e4ee75149762b290dd133cf7a09e49d5daca0473

SHA512
5e8fb2d3de4093f553f5c6b84617ede2bf533cef06ade04522cccd3291e9b21dace3ac5b8c8712326197c9281f1aad378c552dead3bb6eebd17bee2502d08103

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WXAMSDK.dll

Filesize
10.5MB

MD5
cf7010a4e2bdf8d5edda4f8e262d0376

SHA1
ea9e3e65492b952570d0e2b283520b950c60f4dc

SHA256
7298dc73774caf86ce1dea83570414ff0fe6156854119c6f286d248fb49dc04e

SHA512
0962bb107c83cd5bc6f67e63c5eb9aef2192c11bb1494efe056153e3aa1c934f7a6f681f88fd378af626bd6173aea6a68790fcb1d6e9330ab45b323a41d9f0f4

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ffmpeg.dll

Filesize
2.8MB

MD5
58f020c5255c67b2a5bbc7b26040cbbd

SHA1
b8745dc4fd62d3f5dde72579ead044a8a15885f2

SHA256
2408e9f4393e8eb1fc086c37d2819fb45d51605a1fe889c7685a2d8e87e25096

SHA512
4e719c51d68b49abbc4c49edefb67faa734a04eb256527a533bbdbcaa3ddd7e926ed6ccbd3d1de2e863b937b65b9cde846db39409e1bcec30cb96a846e721ecd

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ilink2.dll

Filesize
6.2MB

MD5
fc282b9c0aa206bf34da78b1b049007a

SHA1
a1a531a716176a653122f4d11cd1d8481fe1462e

SHA256
d7a5d0dd4e90e649bd99a906b7dfa77dc97bd71966e37f4b4e9cbdec8e94ee02

SHA512
19cb2f8e4e0532eed8dc868a2a45581d299069526197b61d4b30a03e3a3013bad7d29a710e714080287c62228399c4e6f9413ca0094c3ee794a6ffd15218fcda

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ilink_network.dll

Filesize
6.0MB

MD5
1a1d15a4d25f413cec860f1773526872

SHA1
322d33ae4517de8119a40729281394d03910cc37

SHA256
31c8f4d7809d176c9e556a27b38fb295f0e74b7fe8e43d64ed4fd2cde837e4f7

SHA512
8371e86e0a11e5714ef7f89e0d306391ba6daa8f2fcde381200d219d1b85cd9b4f102a50b38c914387fc028bea73f9e5a5dfc6a0f6b8db84ad81f4fdc2c90987

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libEGL.dll

Filesize
477KB

MD5
e381309379d235116340a16c2cc745fa

SHA1
13624426770cf860b4c6ade31525c33e72fbbb55

SHA256
d21952a8255f306f2bfc31e6da452ac1e4714ba76bd0384491ac72a9d84fc871

SHA512
08fe7be13f4e5054f4e8b4067a1231e68618a18866115623a4cc407c098b6c547cff86f6d07445d91f5a3b5ff9cc02e499b124f02e4135cfbc5da9cfc7c8a13f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libGLESv2.dll

Filesize
7.1MB

MD5
29a0349ac0c14b5ef70bc1ddfb61321b

SHA1
c7d0bd7b74cbe2a3740d55a76eb35569a87e9cae

SHA256
c80543ccc5d7f2561ad2fff83eb08887c6ecb654eb3c49e449237f5b610378a4

SHA512
c802e88ed2a6a135d9ffa1231593e68588488942f6b7665157a88b0f459fba89c824f557418535016493e69ca12fc3c2f7e643468f24adcc7586624eb26373e3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\liteav.dll

Filesize
11.9MB

MD5
6194252939a7de1006c2a66b2ed788d2

SHA1
31fe0e1bff66a0af6e05d9ded506c021b4e4ab94

SHA256
53fe34201677d73410bc881c6cfcc2b41f4e5ecca1ade1cf60fceb9a66547fbb

SHA512
51fb77008ccaeac10b271542209511b44ecc59c61287a464c2787e68c5d8b1dcb5c23ca8b353f615129474165a5229ee889ec99c1902bdbc4ef7ec4202c74cce

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\locales\en-US.pak

Filesize
178KB

MD5
a27b0b50ea15e3a4b5b037368ec85c49

SHA1
437a13a1d235235723c49e2760478049ebde9d68

SHA256
e7a99e8e595d34fd5532aee1f2d35f186fcf752c05c54125794bcdb3e6b29946

SHA512
7cfca3dac2b732a85ff624f890c4ff37d1e1282fe485c71e896a23431c3007081ece5ee1116d82595df70b11c2fb3d40892b9ebcd33d3685bc275c0561eabb7d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\locales\zh-CN.pak

Filesize
179KB

MD5
e91e56b3e5f7e4faf023cb60cf23f42c

SHA1
42a6b324620e13168567c5fcde3d3c06abbc11ec

SHA256
4f8420e5e9ccc7800d7b308809594afcb3a78494faf9a6a6f41fefac8106684a

SHA512
5e0491b8ffe6e4181f44a74958bbeeeaea948da9a1c4d849261c1051fecfad83a25e9973499be087c0d83085e3650ba9eca064b0cc9de5ecdbe15f98410273d3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\owl.dll

Filesize
1.1MB

MD5
cf6121452909699caefff77cd0086cf9

SHA1
a52ff34376b860d1e408962774129971c431e8da

SHA256
2c48d500c518f8ba751754228d406212141c22192d23c8a6d424fcf552cf696d

SHA512
07824e2ba2b99fa70cb98bc9b7a7b856e4900da965b73fde5f7048c74027687cae6d4137ed1dc08e9fdf2adb884b9763822aa06b694f2cd9e4842cd4529b1a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\snapshot_blob.bin

Filesize
262KB

MD5
9fd4e1ed4923ca771537f4421c0c2214

SHA1
e55db06c89b62727ffb3bac37513ecccafe55b5d

SHA256
ae879bb0b955501ba972a9bb270fcf6a7002b53a68956ce340b4a7f72c407c5a

SHA512
6c3369f03d5bf341372479551ebd43a321d9b6c6d029b12ccd818c1b0db238aeeaf7ed3b7cc0a50603ff87b8fa66b792e3b6799f8039bfc752ba44c48c247994

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\txffmpeg.dll

Filesize
6.2MB

MD5
70c4af0909ef2a64ebabe83ba5698d90

SHA1
edaa9424d996441b7b456b8acd182426aa1264d4

SHA256
c764a6f1de16e7e417ba4228751288cf12d5ef3980c7d67db5951404f876e2c4

SHA512
99a01deb08bca3e543bea317d9f0923a34b62a3efd5a49dc96e2dc806763ccbf8b60a16924238e4964ba1df50f9f8818a0bb624b794d25c8588cc6274f37dfa8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\txsoundtouch.dll

Filesize
136KB

MD5
4e7bbf48e84a3681971d58bf08c366a5

SHA1
971e9105479e4c79a3c34c4a751aa2572ca148b8

SHA256
41b0acb222df38a1a0bf07e132b912df1c9ce987d9410d54c0da82278b161441

SHA512
34d9333254f3f51500ddb1f3a2fd321e349a4506e8504a4822c40fec3ec1902405259577eb37b735e6958ac64f88ca605c9d4332401e05a2ae585fd074c53298

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\v8_context_snapshot.bin

Filesize
582KB

MD5
7de432e3cef399a79cc2a6a30415d5c0

SHA1
88b7792bbfbef3c64cd8a155875348279faddfa6

SHA256
25851c7b84d6a7f4a723e9a5d9ad6d7bcebe3d2205416127f183ead6a1431582

SHA512
f8a6c84903e8369e781761a417a45c67be9b5f3e28007c7ea80b487ed9fbf15b095d7eff274eb800dfe112af5cc957f06df254bcf6d0fb5da39dca083931ce79

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\vk_swiftshader.dll

Filesize
4.7MB

MD5
effc3eb61df55593168bf4e2be67f740

SHA1
8d6d7220361e3d53451144371b2d8545cbf20864

SHA256
4061ce8bfddc84e104aed6c85bdfaf79a1ec48d980d84dc0cf2a13030a7afcfb

SHA512
83acd4c27e912980188092f3f2329dd3c03ae2a8a9c3b10fc2542661234320fea7e2780b9eaecfa1517e04c0727226d46d226c5d0dccd0717e5ba818e646ac69

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\vulkan-1.dll

Filesize
924KB

MD5
2d107f62c15a66a6c10fe32010781db9

SHA1
e55e63418c3970ac933767cb82f527dd3139a151

SHA256
a778fa9631cfc9a68b62795ae8f6d7e949e9436896b0ddf45cb4780b7991f777

SHA512
452c0e5160d0f9bf3cdcdc734cbd3e70cf0de4cf05230909890c1f015f5625f30f62252db654d4e913409701bea5e0a9c097712776fff64367cf9a9d28b83d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_100_percent.pak

Filesize
1.3MB

MD5
39c5cec8fd9f3ef620c4d35770ce2d24

SHA1
ade3245d10f3d2f826035a97bc835a2f9078770a

SHA256
9ebda78dd4a6b6c5f10942f1a9fba39a947fa70ef5d7e10ab0821f5427f89c26

SHA512
5e603ed71c9b9e94372df1a06be669bde814838a8ee602f93600ec80cfa75d2fb4bb90faa979708c4b3c18a05ccd8e139b7ad7a7dbc85ee2a0fa5e0c108b44d1

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_200_percent.pak

Filesize
1.5MB

MD5
c62d68860fbd3caeb667dcde7b0aee43

SHA1
3792283f559af312541a761e3ec4dd55a93f9c7a

SHA256
ae7b81add4db941522de8d64ad245d1ef44f265ff5e09c98c4beec0712c53ad1

SHA512
9cc0ad9a1cb6d7f4e060299b2185e0878ba0e3021649cdc5790851a995456fb9d465a453823e14847b240df64cf80e87ae8e7b8e563184dfbb6c9b73030c7f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_resources.pak

Filesize
15.3MB

MD5
bfe5ec4f37be87078b25ec493556cb59

SHA1
067808488460373098f034e6e12c9c6518c296d5

SHA256
71da4e340d3d6036d7dce94b0a797aab05eae8f840852cd7e94c5e742abb3513

SHA512
a72b3ef7f4c648338b04a30b3106b81ab2a1c621e316d9312c85795899ee8a1e77e19cb91c911b4b8ae3beb543c33033744dcd9c95c861192fa70703004131b9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
7b935c9ae42987ee708c6ce78d1b2518

SHA1
c9a6af25202ba2c2c4bb7f26201f4c289502c868

SHA256
2f9d5cf4d33e1f9a469ff8face629150701b9d2d2db14adc01d9cd9693b48b66

SHA512
b3bac7cf8693badb9f275eeb9c0b412a9474782f85eba991515719303de998f95660437551fc8587789d7ae1ccddad0721d669dc14e315320296b119d0d5ede9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-console-l1-2-0.dll

Filesize
21KB

MD5
94d959079a8626399a1c7ed25022faa7

SHA1
a223662cce39fbe84a8f36e2640d8f8838a84aba

SHA256
5f3c36d56ff0135234710480cf8d67c9b487378379817b6d3b4819896e881407

SHA512
4692b6bc19c525e1f0a282d7a576462afcb2bd06ebf80aee5b7da78924b2427a411d8434d01d659ec52b41502f01bb2a318f892ff6ff55f8e83b6694970885a4

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
08ef9bdae2b9735a3bf96fef13870fc1

SHA1
1153612ad5693917806c2c198eb03e9c1f95859d

SHA256
731e0df1bd953c3a96dc47e81741852ec0c69a56e4716c118f53c793b8fe0d58

SHA512
81b546a57602d34a509cbd89c95f63159da101daf81738b1e2f047f0496791bc0a2f65021654004703fba9001f18185d260f365b87100e76404bf1afbfa40aec

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
c80dd5101f826344f3fff3d7b820895e

SHA1
33eab9a18dfd5e344bb262d57cb1b40b4f95e3e5

SHA256
79c2cc68b76a1a8b3b53ae22285823183509da88aad9934d42c91ed146e9cac7

SHA512
69e8a1053ee1ea5dc106aec8afcf2a94a396ea4f3a306e0f38d5538081a79b62598a4fb283cc2bbbbc929be73fd38569d572722cdbb2a0837761298cb621d1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
0b05060480bc0853f3f6909bbd61650a

SHA1
9ebbcf2fb26e4b59c506507a6cad00e8017f8253

SHA256
27dd9e2761ac8bf251b35d4f9653e119a449e1ca29ff30d02a944de371adc920

SHA512
abb8ec6b79bcd31bb5ef6a816c5865c963aac5f7283c9c03992a16beeaeb1eac77f0b6b9d99a5c3b88ee24e8e1b2306c7082cbd509e0e83d53ba88eb92d34af8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
f5298e3aa379b8ace38a91a6b878aa35

SHA1
972079b10bf606e3364c6a05738f473d794bb2ed

SHA256
500bab80166c3a1d4f742120ba615bcd47e780da7f46ced28021c6710ecb6de9

SHA512
18b822dd4303f26a92de8489d7d1eb051d5cecbff48ba5ef6698ad3b3fe0b98eaffee44b548bf5af209ccdbfc37619f8a788de2d0505c12cd19a2d022d642460

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
47bfcf04756b8a406c92370e36be2d29

SHA1
123eac07ea410ec868d1476db04f89e8e58308de

SHA256
0c3a1dbbdd6e7d90b383c6c220bc3b02863af781210169fd8ac7dfcc74b154b7

SHA512
a3567dc53cc6dab3ad99e6cac25725c1bfafff37d9ddc23ae46a76498e2749949c4ef467e48ac16ab533627d2214b5fdc48d855dc6dc81b31d791e4f8b27ab8f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
288b9d17e7c4bbae97d42ad0b8ec4702

SHA1
4039eccd8416edc38d1e631da65e3bc37fb00d2c

SHA256
57839e0c3c0a7c95d2562626f9f369fbafb4ee3d2ec56af8c9697b494e556eed

SHA512
ced89c9005c921c87950f656f292420d6dd039b163bcafe2e8ae2c057cd750d51a094f0d7db318459f115ada6e26bb752c750deeeb86d7d07734c9b0bfeda302

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
0027fe52dfda7961ae1b2a4b10fc4d89

SHA1
a094bcf86a2ead153dc547e4c8e1794889000002

SHA256
9a15bf727fa2e7c4d66c8fc2d39bf0ed26b248140246c10c089651497cfe484f

SHA512
145a735bfd62b216e94501e7ed83930903eed4a862aa1e9d828040cfdf187c8cdce21aef38dd8f20043e69631d8adc62068688b94bb9bcbe2584041424df5540

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
3962fa10eeaa9a4be06f561fde300bcd

SHA1
85efa3cc81764658ac069751e53ee056d4e7e2e9

SHA256
b24f9fe58bc71eb82114e08fcd0364524179c6b0f24c81f32f47469653f4857b

SHA512
7f697dceab83f8e9857d6f4fa967c2795be538659a6291e34054b082f656ff2c592252f0e5601737191788fbae6ca4881c131a82f81c2c3a9e26c41312e350e4

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
523aac716f2cde63a9b6896d8ea41e69

SHA1
0293d3efd1627b6afd768c21a5832cf0365da9b0

SHA256
a415f8df8b171276010b3fa46a6fc9c55010baea805eb535cc58f8d79c32c2df

SHA512
09ad012ca579f285fe4c71714db6699415e1ff9a0f6b850ec060ea0f76ef04dd0ac135c8fa441d406a0639b95938c300217df97fc457ee1a0ebdafe51200448b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
47b5059914ff6ac540f1e239833c8614

SHA1
a92358dba4f7f7200e3e7e359abf25b766497000

SHA256
b33befd49b8334990d972864fae04041a3d9c44e3217c5211ae7d3b15fe56412

SHA512
d781f5bd6d4ff4b7fbfdbb45b9ec41721dddf8272a2b6e35da5af3f3675dd7b9574ac4aee275045fd23c6f25593b3373c630fb29bb68409cf73c482b5af94a6d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
e93fec249ae56a1bf5121e51fddd8e95

SHA1
d81a342b770f2ef86a99a5de009699a0ac99c0b5

SHA256
341d9f2b302f0a17ef9821bc8e29f463b477ae0bbbc5a54c29b34dd4eb490f3f

SHA512
d233ef658e64081fe3f27380b7d781bfec5e88ae25bb468a15ba98dad57f5fa394eebdf29675edf63733f878c75847d025befceb32d1d95d6c609e058f7b7b21

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
7d813a9d4f1ba0caf55b01f7ec70dcea

SHA1
760ad082f1704b6321fdab3d8ce92cfe1ef82267

SHA256
37545952351e339432e51037f9d6c89c8a31e60a48b63d4ed826d4fcb22ca759

SHA512
a4f664cf315a1ccb59dffe351212f87dfa07786450b6997eeece7e562fa459b828cec3bbde96b56224db7f645ac7b99254fb39eb250aa4755b976cc1a9cb2c9e

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
4ac8338d1a3346fd09f1e04fc7706170

SHA1
eb3ebcba7f9ad841962add1c2a54f636524b66b4

SHA256
fb34742f566ab12a1c6f28c6bba1dfe753d970f57230d48ac45521e339960958

SHA512
02d74f9078f917cbb6da4bc36cafd225cf6be9655fe87e04326f573888485bc593b86ae60da8dcbf5ce897126b77c1afa8fda085bc5fc55b422317b90624d32f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
9064556f7a4bcde3e7164c57772cc0a7

SHA1
23e076eb92fcad97693ff162921e39dd6585fafa

SHA256
6d811f6aa8d1d666b740efb8a980c425228907f02a2418f00b06ada7db51213b

SHA512
ad02177bc9fbb529efba419dc168ce323b26b2013024f90a42b3cf322c0e4ac710f6f666e5be9ea264018144ae366daf2567f05e16820712d2391cd4888cc131

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
c4eb89da5c3eac728c5e30c9aa67c006

SHA1
3343d3c765fe44682496b192b3edaed328a8cc5b

SHA256
16a13b80823954e1b7803eb4312aa7d1f1370ee565eb4988dcfd200a524747da

SHA512
3f723a9c72f80bd3d078da38f026c1a27d13f4e03eeb69aebf00da4430adb2a9e57f64c0080bb1cb44e1a2f93d7c80e5c94b590c48841c5e4083a845f5d8f6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
f2d45a9e419858a3c7adf4996d45de0a

SHA1
4a069db1876bbeac8593d64e4293cdef28ad998b

SHA256
dbb2f529cc205e81bef9aab1fb91b529e8e02f929a3dc54adb8999851001c5bf

SHA512
a7a5d3fbde6793f07f060bbffd066e06a4db8bcaaf466ed4b840271f56c7db32e2420e50fa2a8b4a2c86ea3309cbcdd2a871bd7e4034bc3006ca5cb760ab969a

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
8c296f1f54e8c9f38659fd8e09598422

SHA1
b0caec0a3a42a3f4723b391c6ffb7b3ecf93f3df

SHA256
a3d9d0a230edce97dfcc176737daea17104b954879cbc584b9615ecc6d6c0a32

SHA512
4ac9f0912861b01fe55600ebc994429bde9b29c5168adab9bd7636fff39cda2ff9e5dda46525d8425794b6f69d459a35583ff07781a591c248858fedb60dec71

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f9ceff9c92bc368779c370facfef5714

SHA1
b38f4b53a558c3257e3d28525803ae96ed36f49e

SHA256
884dfc43cf87144ee2ba9d535ee44777ec8951633001ad6c9ac867d51823c10a

SHA512
e4d6100ffe5e53509c40c34045b8c242afcdbe42412522412287d826c464d66ba0abcaf9cf93b55b4cace4757192813e977f0b6dec263391721b47ef0d3cab52

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
61503240436af5c68800410400a21e73

SHA1
3260e129965d46f579b89d8e84844b8dca522b8c

SHA256
342a938aef9adeca509ea1d02868e9d0590673e1f044b69dcffc0b85cebd0a34

SHA512
017e8eae34e094f54d517addbc2c0c474d8adbaf2cc496c535156258739818413ffed55eae363308e9cd44d02410204031956479d7c75ef2b1709afb397e044f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
53c39dbdc253aa94fc46f79e808e759e

SHA1
4e471a0fa393e60ad8a6f894a1e17cd007dae121

SHA256
acb493cebf362aeccb34e3df197c0424411a32f3e40be74a21a0a474f02f70fa

SHA512
280b77609cc6f94f4a31cada1c1f4ad0ba6b145e368cc189223c01d3fe71cc685c52575d08401e6fdd62f9fee9a5347461bd9a9fb86439d9a3f0da7cef950886

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
a4cac886f35c6a9323f1fbd38d146d0e

SHA1
046b3429e313fd93e0665b90f572b87b21fb88a1

SHA256
ac8a792dc4d3b6498f80032480db33b339d0279f7d0a4f7410a0892fe9f80499

SHA512
3f55751e31445f653900eeeb6dd0f4149a1fca3883bf49ecbfc2bd443d7a2d36471e839403b027663e7d0fb9a7dd17663182e1eaaade732ed4be0e29f8a017aa

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
63f2089a20409f482afd867774cef9ce

SHA1
d328de0efce2652db204a076fd633d23ddb76dc2

SHA256
f61a72a2a6ac3e8395a167b1e4b3a8af7aea8be5736a8c97f894e06c6e650807

SHA512
990aaf1a1e80230b3bbb596fc91640fc3723d1aec08b1c772f9d1a95adcf3e34150abb73ba132ad01492551baf893bd41e5c99197eb0c0064bb0dc42787aaf54

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xfile\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
2c17df3b2df2bdc7c11ef0005644c197

SHA1
0bc19fa8ca91b1aee4c2a76148c98643f4fc1fb0

SHA256
a9f473340c1709dbd36e060c0fabdefac67d83956c9aaa0a04236616ad4fd09a

SHA512
6832a51d4ff22664f3292961b6e709bddf3c21b7cdea973a42e339c096aaf4fe39ae88c3b007cf90feebdfd75b3f1948ad27a5ced8e606f085f46c2fbe34bda9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xweb_elf.dll

Filesize
1.3MB

MD5
ae0d7f602b0f65b444012b68a3efbace

SHA1
f264e0878fbd60eb3df79151fc44a0fe7e2bef10

SHA256
240b4f3823f24dcd8bd212cbbbf0391f8bbb9fe215f2d83f4122d5251bce8167

SHA512
238db671124621b009bf1979e81bcfdf6cdb8a43a28ade1699a5182c8632f05f485c1f358fda0eb1815dd54b5b99d3fe432eb04b9d0ca94bb3ebe29f0046b48d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash\settings.dat

Filesize
40B

MD5
dfd4824d8e6d02716b92b1b9b5344e68

SHA1
463e7e5fe56f6fd7d4a6e95bf24a2a62194e8053

SHA256
73c19b708bb911c185f19f3cfa71f53e7e5322a6d42c9f51bf5127009f47f438

SHA512
9acc9ceee054411ab3ac262c6e44351c606349a5bc07022cf0ec38c24fe2bfa893a9e171bc8519e757ef49d9e40353e1f6ffb7afc67dba558375a54b1ece2a83

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\log\MM_20240710.xlog

Filesize
42KB

MD5
8537375a7efd7c7975cf0ea4eac2e541

SHA1
2b4594c5d6478f3cdf98e986036ce1ef7ae13046

SHA256
d4cacca0093e963eca393b9ce0bd0d6582ed2d0ab581656fc9a08146925ec751

SHA512
b19ccb0a05714a2189dccf5cbe34f440cd6336374b81a03b442359eeec68cf3797b8ee964d9e1dc048e356ecea9c7c2017724abb04e82e6d8d91d98272842215

Download Submit
memory/1692-222-0x00007FFD91750000-0x00007FFD91760000-memory.dmp

Filesize
64KB

Download
memory/4368-305-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-306-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-304-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-316-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-315-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-314-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-313-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-312-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-311-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download
memory/4368-310-0x00000209A4840000-0x00000209A4841000-memory.dmp

Filesize
4KB

Download