243f3743b7c0353104dffd185aa6d754407e7b31c3840e30fdc5ec66d7f1c11b

Analysis

max time kernel
150s
max time network
169s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[3.9.11.19]/WeChat.exe
Size

644KB
MD5

c608dfa29a249753b38ebad45f52cc68
SHA1

f7aacf4caf435dc3be1a40bb96019175d95567d8
SHA256

d6521203a3641f9606f146f4fc763be5b87fa058915c2eca0a7474c9d76b6ba7
SHA512

9f3107b14ecb5a0d233cf656577d7ba2776c8a9b3cb0448d295a9fe6733eec69b85b91bf1a60863e21634a72ae173f1030635285e13da14f343d318c134d1b4e
SSDEEP

6144:mQyk1xZBq65kzLy9tEoEtKE0raGrm+BhK629PRwY+:mQy2Zo65kzLy92oIt0rrXIk9

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WeChat.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WeChat.exe

Executes dropped EXE 5 IoCs

pid	Process
2052	WeChatAppEx.exe
1692	WechatAppEx.exe
2320	WeChatAppEx.exe
768	WeChatAppEx.exe
2932	WeChatAppEx.exe

Loads dropped DLL 43 IoCs

pid	Process
3060	WeChat.exe
3060	WeChat.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
1692	WechatAppEx.exe
1692	WechatAppEx.exe
1692	WechatAppEx.exe
1692	WechatAppEx.exe
1692	WechatAppEx.exe
1692	WechatAppEx.exe
2320	WeChatAppEx.exe
2320	WeChatAppEx.exe
2320	WeChatAppEx.exe
2320	WeChatAppEx.exe
2320	WeChatAppEx.exe
2320	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
768	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe
2932	WeChatAppEx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WechatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WechatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WeChatAppEx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WeChatAppEx.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	WeChat.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\shell	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\shell\open	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe\" \"%1\""	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\DefaultIcon	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WeChat.exe,1"	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\shell\open\command	WeChat.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\ = "weixinProtocol"	WeChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\weixin\URL Protocol = "weixinProtocol"	WeChat.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeChat.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3060	WeChat.exe
3060	WeChat.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe
3060	WeChat.exe
3060	WeChat.exe
3060	WeChat.exe
2052	WeChatAppEx.exe
2052	WeChatAppEx.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe
Token: SeShutdownPrivilege	2052	WeChatAppEx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2224	3060	WeChat.exe	31
PID 3060 wrote to memory of 2224	3060	WeChat.exe	31
PID 3060 wrote to memory of 2224	3060	WeChat.exe	31
PID 3060 wrote to memory of 2052	3060	WeChat.exe	33
PID 3060 wrote to memory of 2052	3060	WeChat.exe	33
PID 3060 wrote to memory of 2052	3060	WeChat.exe	33
PID 2052 wrote to memory of 1692	2052	WeChatAppEx.exe	34
PID 2052 wrote to memory of 1692	2052	WeChatAppEx.exe	34
PID 2052 wrote to memory of 1692	2052	WeChatAppEx.exe	34
PID 2052 wrote to memory of 2320	2052	WeChatAppEx.exe	35
PID 2052 wrote to memory of 2320	2052	WeChatAppEx.exe	35
PID 2052 wrote to memory of 2320	2052	WeChatAppEx.exe	35
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 768	2052	WeChatAppEx.exe	36
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37
PID 2052 wrote to memory of 2932	2052	WeChatAppEx.exe	37

C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\WeChat.exe
"C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\WeChat.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe
  C:\Users\Admin\AppData\Local\Temp\[3.9.11.19]\mmcrashpad_handler64.exe --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=crash_notify=1 "--annotation=ext_info={\"app_call_name\":\"微信\",\"app_name\":\"WechatWindows\",\"app_path\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\[3.9.11.19]\\WeChat.exe\",\"dwbuild\":\"19\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\crash\",\"major_ver\":\"3\",\"minor_ver\":\"2\",\"module_name\":\"Wechat_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Local\\Temp\\[3.9.11.19]\",\"product\":\"WECHAT\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"3\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash --annotation=product=WECHAT --initial-client-data=0x2bc,0x2c0,0x2c4,0x2c8,0x2b8,0x2cc,0x7fef381e3f8,0x7fef381e438,0x7fef381e468
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --log-level=2 --helper-handle-value=263980005 --wechat-files-path="C:\Users\Admin\Documents\WeChat Files\\" --product-id=1000 --wechat-sub-user-agent="MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090b13)" --wmpf_extra_config="{ \"reportId\":-1, \"version\":9129 }" --web-translate --client_version=1661537043 --mojo-platform-channel-handle=2476
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe
    C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WechatAppEx.exe --type=crashpad-handler --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=crash_notify=0 "--annotation=ext_info={\"app_call_name\":\"\",\"app_path\":\"\",\"ext_param1\":\"2.1.1.9129\",\"log_path\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\radium\\web\\crash\",\"module_name\":\"XWeb_Windows\",\"modules_dir\":\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WeChat\\XPlugin\\Plugins\\RadiumWMPF\\9129\\extracted\\runtime\",\"product\":\"browser\",\"report_type\":\"9999\",\"restart_app_cmd\":\"\",\"upload_choice\":\"1\",\"version\":\"1661537043\"}" --annotation=log_path=C:\Users\Admin\AppData\Roaming\Tencent\WeChat\radium\web\crash --annotation=product=browser --initial-client-data=0x3ac,0x3b0,0x3b4,0x3b8,0x3a8,0x3bc,0x14a7b61d8,0x14a7b6218,0x14a7b6248
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1692
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --ignore-certificate-errors --log-level=2 --ignore-certificate-errors --client_version=1661537043 --product-id=1000 --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1624 --field-trial-handle=1628,i,9500943828937215479,16314745593489460344,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2320
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1616 --field-trial-handle=1628,i,9500943828937215479,16314745593489460344,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:768
- - C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe
    "C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WeChatAppEx.exe" --type=gpu-process --log-level=2 --client_version=1661537043 --product-id=1000 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --log-level=2 --disable-mojo-broker --mojo-platform-channel-handle=1776 --field-trial-handle=1628,i,9500943828937215479,16314745593489460344,262144 --enable-features=NetworkServiceMemoryCache,OverlayScrollbar,WebPredictor,WinSboxAllowSystemFonts,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,Portals,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
20782d2c8ec7aabb58a7ecfefc9c5d54

SHA1
951c438b3aadb19a52e3cbf4777228862a5b583d

SHA256
bf0c61e25f434bc08be2a0a559d2be3fcc79613a1f1e03e13b26ab69e03ba076

SHA512
6e11c3aac7705e6e9a6f14af6d5a72352d53725b83f0cfaa5426baeae720b3caaa7df782a5754819a3b664cd05fbd662c749f2fb25d46d9d022fd161d2d487ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_837D0571916000821A35A6BC6DEA7DBF

Filesize
727B

MD5
8af0d784bc7b326408b525b00279bf7b

SHA1
0e237649ce35369f61b8884c441e33eb3a2ed694

SHA256
c93019d576d2e4449d5fc34c931da70c3b1535fbe69fce892267f2f85c857b25

SHA512
e1e0ee9b5031ad2a8fd031c5aabc3ee1611ac04e5c26b6e38d856a33ebc57fa22341c63ee01810e77f6a34a13929a11d4f87b0baccee55912cb80e381ac27f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
f25d7a8f1e6007e05df6b34bc8b89fa4

SHA1
f4e02d2aed168a9e80ac9851be92f707fabfa6fb

SHA256
55f37c481e375f028c6d4c393e106352f86b5770e7d4b52524dd944e03d6ac12

SHA512
bbfd02becb563730712b10efeb3916a2a92d29c408682cff9dc5d9b7c58f787ab47ec2e9d314a7f8808d165bc969bdc2f01333c5822e555d88a0c833567fc81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
9a68d0e691a8440ccef1a4e0549f08bd

SHA1
cf304af6081490b59a12e37cc3c95f0cbc0a3716

SHA256
570562b0711a9e823d685024e4515fcc04539dfdf6262d38f9659221e2e9ad36

SHA512
fe0cddff15a157dec9681f3e2972dc80e68452e1f90216535aaff25242cb8f2d7d118f4e728742c69a8ec7912985b80f4aff496348ad3f6e109dd89083547d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_837D0571916000821A35A6BC6DEA7DBF

Filesize
404B

MD5
a1def503b8689902fbe6deca8f437d14

SHA1
5ffa1f7ec3462026f1f0cf4a4625aed09b13c8fe

SHA256
ea9d7a88e2d4d2b8921584adf906fc2a193f5b4a2206c9a05d43def8c3359300

SHA512
a2cbd697af21dcbb73de75839a55c9b8b624b034a813af40128ffd921d1eaf8f398e16b4766109ea65eb6c35076eee1c83891841afa0ebf46f28a966622af77f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e0b3e0b53eca72bce98d15629d7c9ff

SHA1
58f2214bb2248c6a9d6078bd0cf168a56e3bfaed

SHA256
7bdaea0b19eebbb9864721bcf0a512dd1d309917ba38ac720e0fffd7e3c06f92

SHA512
2d1d09faac9c04ab0808113aadb5a5735ca976dad5cb2d7ef6e5e293063eb7a1f6c52e73989910c4fd4f11bb77093a7e911ee4dab010d908d1e5d1789f7cf955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d50f5750b589543476addace472ada09

SHA1
bd191ec744445ef8b1f5b9d189c5ed306e569a1e

SHA256
ac2d705d12856801c252da7708dbe527ebeb69fff1155d9bd7075213cb2bb570

SHA512
fdb82f693e425b969269672843ded8d807e79ff8e13776f349a49ba716dea9e04bb9080ec3623334efd60fb32b921d9c83944a20aef60e59fc6629999f9f04e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb86fba5cb18cdb2be6a00ae85226e24

SHA1
a0271e7a7a5b0fc7a2bf0324c31e4cdd99a83afc

SHA256
4f59cd81cf01759c56b9a7d11fa61322a40c7f30e29029402be3f7b01bb05a70

SHA512
6ec5a85ae348f9b289c93ed1facbc3790f2b0e2fb04318a468239b105c14a4613f0a71de1689b83fdb67f90967ead3f8f35ba2e323ec87ced66297b30e232c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
0d6af7a9c57ba5f70f3fafbcba10acfd

SHA1
6135df48406d7fd8824e78a22e2ee85030e1678e

SHA256
4ad6b800835cd36b0413339fa28fc757146b18bffb588f7a04c80a2ebe6bfa30

SHA512
f1cf68f65523643328820b2f2902025977861dad16409837ecc0da7d9b4ca57cf4c67abf8fd3e3e2fdd9cf867d709cc20df1b601876bde36a20b62047cca74ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE043.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1DC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\locales\zh-CN.pak

Filesize
179KB

MD5
e91e56b3e5f7e4faf023cb60cf23f42c

SHA1
42a6b324620e13168567c5fcde3d3c06abbc11ec

SHA256
4f8420e5e9ccc7800d7b308809594afcb3a78494faf9a6a6f41fefac8106684a

SHA512
5e0491b8ffe6e4181f44a74958bbeeeaea948da9a1c4d849261c1051fecfad83a25e9973499be087c0d83085e3650ba9eca064b0cc9de5ecdbe15f98410273d3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\v8_context_snapshot.bin

Filesize
582KB

MD5
7de432e3cef399a79cc2a6a30415d5c0

SHA1
88b7792bbfbef3c64cd8a155875348279faddfa6

SHA256
25851c7b84d6a7f4a723e9a5d9ad6d7bcebe3d2205416127f183ead6a1431582

SHA512
f8a6c84903e8369e781761a417a45c67be9b5f3e28007c7ea80b487ed9fbf15b095d7eff274eb800dfe112af5cc957f06df254bcf6d0fb5da39dca083931ce79

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_100_percent.pak

Filesize
1.3MB

MD5
39c5cec8fd9f3ef620c4d35770ce2d24

SHA1
ade3245d10f3d2f826035a97bc835a2f9078770a

SHA256
9ebda78dd4a6b6c5f10942f1a9fba39a947fa70ef5d7e10ab0821f5427f89c26

SHA512
5e603ed71c9b9e94372df1a06be669bde814838a8ee602f93600ec80cfa75d2fb4bb90faa979708c4b3c18a05ccd8e139b7ad7a7dbc85ee2a0fa5e0c108b44d1

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_200_percent.pak

Filesize
1.5MB

MD5
c62d68860fbd3caeb667dcde7b0aee43

SHA1
3792283f559af312541a761e3ec4dd55a93f9c7a

SHA256
ae7b81add4db941522de8d64ad245d1ef44f265ff5e09c98c4beec0712c53ad1

SHA512
9cc0ad9a1cb6d7f4e060299b2185e0878ba0e3021649cdc5790851a995456fb9d465a453823e14847b240df64cf80e87ae8e7b8e563184dfbb6c9b73030c7f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\wmpf_resources.pak

Filesize
15.3MB

MD5
bfe5ec4f37be87078b25ec493556cb59

SHA1
067808488460373098f034e6e12c9c6518c296d5

SHA256
71da4e340d3d6036d7dce94b0a797aab05eae8f840852cd7e94c5e742abb3513

SHA512
a72b3ef7f4c648338b04a30b3106b81ab2a1c621e316d9312c85795899ee8a1e77e19cb91c911b4b8ae3beb543c33033744dcd9c95c861192fa70703004131b9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\xweb_elf.dll

Filesize
1.3MB

MD5
ae0d7f602b0f65b444012b68a3efbace

SHA1
f264e0878fbd60eb3df79151fc44a0fe7e2bef10

SHA256
240b4f3823f24dcd8bd212cbbbf0391f8bbb9fe215f2d83f4122d5251bce8167

SHA512
238db671124621b009bf1979e81bcfdf6cdb8a43a28ade1699a5182c8632f05f485c1f358fda0eb1815dd54b5b99d3fe432eb04b9d0ca94bb3ebe29f0046b48d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\crash\settings.dat

Filesize
40B

MD5
998741bd442a1b6e9027ae9c16cc1286

SHA1
d3635b811bc9a50c760b7b1f9b22853aac947389

SHA256
473bb07a32821980fb4857e4ddd34ec3ed5c57925e3e293f390e3d5ff017be44

SHA512
eb758b8e8cf951047319fc8f7522d3128eaa956073938e10b2d9ae3edbb2704210e1a3ad8ca211aaae52494af2e0d1e4a629665111b3d61db0e737c5e2662483

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\WeChat\log\MM_20240710.xlog

Filesize
74KB

MD5
4b265d0a59807dff04fd8aa7238a83d9

SHA1
45e7c187535c3f6728e71bf46812aacfa2e6df2f

SHA256
e10139be7f605549ca46eaadd06a64495f6d25d1506ff7ef33e8cc4abf7a98d6

SHA512
26e55fe710d86b7e06213df199165806bc03106a6c8dc1c9f7f34e3c4dc3e89791b334178700dfde39d847bee6633d45f798300c1eabc8330c27ed492378061d

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\host\wmpf_host_export_x64.dll

Filesize
2.2MB

MD5
b40939c7bc8aee66e769270fd95098c7

SHA1
89561e56c2e8e675ff91f855a4932e77a01a0dc7

SHA256
b1d14f9ef577e623a86a526243bed3b2cc6ef6beaeb9f9b5f4f892c4c26f624f

SHA512
7e8623757ff22908502605aecc8ec14c5398983a0ddadb724724be68652d0b11c7263e543e34bb5eaa68b5604934ab7baeff7042f5292546669527cef57a6e10

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ComponentVerification.dll

Filesize
177KB

MD5
0d75a290e23672b0cacb6765fe7d5bbf

SHA1
a3c2bc04dfda36c307872fd6479786aba743d4eb

SHA256
e8930e3fbc53804235e429311b708b09d0865017ca38af8b976cc02bf9fd2e9c

SHA512
b05c85a4f73f17d677fbadd6dba0b9c111aa366eebe68f64b6d6c7f1e4b532c4ae45365d2076feba4368726a996159663e31536b0dd6b5df8939fc7412a19bc4

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\WXAMSDK.dll

Filesize
10.5MB

MD5
cf7010a4e2bdf8d5edda4f8e262d0376

SHA1
ea9e3e65492b952570d0e2b283520b950c60f4dc

SHA256
7298dc73774caf86ce1dea83570414ff0fe6156854119c6f286d248fb49dc04e

SHA512
0962bb107c83cd5bc6f67e63c5eb9aef2192c11bb1494efe056153e3aa1c934f7a6f681f88fd378af626bd6173aea6a68790fcb1d6e9330ab45b323a41d9f0f4

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ffmpeg.dll

Filesize
2.8MB

MD5
58f020c5255c67b2a5bbc7b26040cbbd

SHA1
b8745dc4fd62d3f5dde72579ead044a8a15885f2

SHA256
2408e9f4393e8eb1fc086c37d2819fb45d51605a1fe889c7685a2d8e87e25096

SHA512
4e719c51d68b49abbc4c49edefb67faa734a04eb256527a533bbdbcaa3ddd7e926ed6ccbd3d1de2e863b937b65b9cde846db39409e1bcec30cb96a846e721ecd

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\ilink2.dll

Filesize
6.2MB

MD5
fc282b9c0aa206bf34da78b1b049007a

SHA1
a1a531a716176a653122f4d11cd1d8481fe1462e

SHA256
d7a5d0dd4e90e649bd99a906b7dfa77dc97bd71966e37f4b4e9cbdec8e94ee02

SHA512
19cb2f8e4e0532eed8dc868a2a45581d299069526197b61d4b30a03e3a3013bad7d29a710e714080287c62228399c4e6f9413ca0094c3ee794a6ffd15218fcda

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libEGL.dll

Filesize
477KB

MD5
e381309379d235116340a16c2cc745fa

SHA1
13624426770cf860b4c6ade31525c33e72fbbb55

SHA256
d21952a8255f306f2bfc31e6da452ac1e4714ba76bd0384491ac72a9d84fc871

SHA512
08fe7be13f4e5054f4e8b4067a1231e68618a18866115623a4cc407c098b6c547cff86f6d07445d91f5a3b5ff9cc02e499b124f02e4135cfbc5da9cfc7c8a13f

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\libGLESv2.dll

Filesize
7.1MB

MD5
29a0349ac0c14b5ef70bc1ddfb61321b

SHA1
c7d0bd7b74cbe2a3740d55a76eb35569a87e9cae

SHA256
c80543ccc5d7f2561ad2fff83eb08887c6ecb654eb3c49e449237f5b610378a4

SHA512
c802e88ed2a6a135d9ffa1231593e68588488942f6b7665157a88b0f459fba89c824f557418535016493e69ca12fc3c2f7e643468f24adcc7586624eb26373e3

Download Submit
\Users\Admin\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\9129\extracted\runtime\owl.dll

Filesize
1.1MB

MD5
cf6121452909699caefff77cd0086cf9

SHA1
a52ff34376b860d1e408962774129971c431e8da

SHA256
2c48d500c518f8ba751754228d406212141c22192d23c8a6d424fcf552cf696d

SHA512
07824e2ba2b99fa70cb98bc9b7a7b856e4900da965b73fde5f7048c74027687cae6d4137ed1dc08e9fdf2adb884b9763822aa06b694f2cd9e4842cd4529b1a5c

Download Submit
memory/768-264-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2052-214-0x000007FEBDAC0000-0x000007FEBDAD0000-memory.dmp

Filesize
64KB

Download