Windows Analysis Report
amneziawg-amd64-1.0.0.msi

Overview

General Information

Sample name: amneziawg-amd64-1.0.0.msi
Analysis ID: 1532532
MD5: 820f2d66357f5c1d986cbc1a41116d31
SHA1: afc5b70d421b55fc6500698d90f1a4b4a030ce11
SHA256: 0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc
Tags: msiuser-Bacn
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Launches processes in debugging mode, may be used to hinder debugging
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files\AmneziaWG\awg.exe Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: amneziawg-amd64-1.0.0.msi Virustotal: Detection: 12% Perma Link

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2107191861.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2112674274.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2115401680.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2113037984.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 5972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 7236, type: MEMORYSTR
Source: Yara match File source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPED
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\amneziawg.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\awg.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\wintun.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\log.bin Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\Configurations Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58E70232-B95D-465F-878C-918D5D3FD706} Jump to behavior
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\amd64\wintun.pdb source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdb source: wintun.dll.2.dr
Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\arm64\setupapihost.pdb source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdb source: wintun.dll.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: wintun.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wintun.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wintun.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: wintun.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: wintun.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wintun.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: wintun.dll.2.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: wintun.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wintun.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wintun.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: wintun.dll.2.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: wintun.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: wintun.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: wintun.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: wintun.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: wintun.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: wintun.dll.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: wintun.dll.2.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 5cf629.rbs.2.dr, MSIF83D.tmp.2.dr String found in binary or memory: https://amnezia.org/
Source: amneziawg.exe, 00000005.00000002.2117128652.000001BD54652000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000005.00000002.2114159941.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2121487836.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000000.2113554513.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3304166869.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.dr String found in binary or memory: https://amnezia.org/D
Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.dr String found in binary or memory: https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetInt
Source: awg.exe.2.dr String found in binary or memory: https://git.zx2c4.com/wireguard-tools/
Source: amneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS
Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.dr String found in binary or memory: https://sectigo.com/CPS0
Source: amneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS2.23.140.1.4.1
Source: wintun.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: wintun.dll.2.dr String found in binary or memory: https://www.wintun.net/
Source: wintun.dll.2.dr String found in binary or memory: https://www.wintun.net/D
Source: awg.exe.2.dr String found in binary or memory: https://www.wireguard.com/D
Installs a raw input device (often for capturing keystrokes)
Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FwpmEngineOpen0FwpmFreeMemory0handshakeZeroedGetModuleHandleclientCompositeSetActiveWindowwidget requiredCreatePopupMenuSysTabControl32ToolbarWindow32RegisterClassExExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileNotTrueTypeFontProfileNotFoundGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetMonitorInfoWGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExzipinsecurepathjstmpllitinterptarinsecurepathx509usepoliciesinvalid pointerWintunSetLoggeravx512vpopcntdq&Save to file memstr_6095ac74-8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5cf628.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF78F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF7DE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{58E70232-B95D-465F-878C-918D5D3FD706} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF83D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF83E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEE6.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF35.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF55.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}\wireguard.ico Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5cf62a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5cf62a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI31F.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIF78F.tmp Jump to behavior
PE file contains executable resources (Code or Archives)
Source: wintun.dll.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
Source: wintun.dll.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) Aarch64, for MS Windows
Source: wintun.dll.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) x86-64, for MS Windows
Yara signature match
Source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal72.expl.winMSI@13/35@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF5120C57685445DB6.TMP Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe File opened: C:\Windows\system32\4f6a5e4d20d21053916c13d658097deedd5efe8c912e9b275682258bd34d854bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe File opened: C:\Windows\system32\24ee177bc0079ec5221a8eaaa4f5f8e2e613ed67872cc4927a4f9e1e9b9f224eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe File opened: C:\Windows\system32\0669f6ab7787a1158133be85c67b76c9061938275ecc7f89568b7532bacf2b49AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe File opened: C:\Windows\system32\1a37693da9e27d84abdcf8c0bd794905b469b01f8e5796b30225509014a7a85cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Windows\System32\msiexec.exe File read: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: amneziawg-amd64-1.0.0.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: amneziawg-amd64-1.0.0.msi Virustotal: Detection: 12%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\amneziawg-amd64-1.0.0.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe"
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice
Source: unknown Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /managerservice
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: AmneziaWG.lnk.2.dr LNK file: ..\..\..\..\..\Program Files\AmneziaWG\amneziawg.exe
Source: C:\Program Files\AmneziaWG\amneziawg.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\AmneziaWG\amneziawg.exe Window detected: Number of UI elements: 15
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\amneziawg.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\awg.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\AmneziaWG\wintun.dll Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\log.bin Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\Configurations Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58E70232-B95D-465F-878C-918D5D3FD706} Jump to behavior
Source: amneziawg-amd64-1.0.0.msi Static file information: File size 3366912 > 1048576
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\amd64\wintun.pdb source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdb source: wintun.dll.2.dr
Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\arm64\setupapihost.pdb source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdb source: wintun.dll.2.dr
PE file contains sections with non-standard names
Source: amneziawg.exe.2.dr Static PE information: section name: .xdata
Source: amneziawg.exe.2.dr Static PE information: section name: .symtab
Source: awg.exe.2.dr Static PE information: section name: .00cfg
Source: wintun.dll.2.dr Static PE information: section name: .didat
Source: wintun.dll.2.dr Static PE information: section name: _RDATA
Source: MSIFF55.tmp.2.dr Static PE information: section name: .00cfg
Source: MSIF78F.tmp.2.dr Static PE information: section name: .00cfg
Source: MSIF7DE.tmp.2.dr Static PE information: section name: .00cfg
Source: MSIF83E.tmp.2.dr Static PE information: section name: .00cfg
Source: MSIFEE6.tmp.2.dr Static PE information: section name: .00cfg
Source: MSIFF35.tmp.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\AmneziaWG\amneziawg.exe Code function: 7_2_000000E7DC1FD45C push ecx; retf 7_2_000000E7DC1FD469
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF83E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF55.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\AmneziaWG\wintun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF35.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\AmneziaWG\awg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF78F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF7DE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\AmneziaWG\amneziawg.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF83E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF55.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF35.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF78F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIF7DE.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AmneziaWG.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFEE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF83E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFF55.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\AmneziaWG\wintun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFF35.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\AmneziaWG\awg.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF78F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIF7DE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: amneziawg.exe, 00000008.00000002.3308921083.000001F4A235E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIIi%P
Source: amneziawg.exe, 00000005.00000002.2117128652.000001BD54608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^|LP
Source: amneziawg.exe, 00000006.00000002.2124218546.0000026741E67000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000007.00000002.3307725865.00000202220E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Process created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784 Jump to behavior
Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriodbad restart PC-thread limit
Source: amneziawg.exe, 00000008.00000002.3304620491.000000C000014000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Status: UnknownShell_TrayWndStatus: UnknownShell_TrayWndListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\AmneziaWG\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
Source: amneziawg.exe, 00000008.00000002.3304620491.000000C00020C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: AddClipboardFormatListenerTaskbarCreated&CopyCtrl+CSelect &allCtrl+AShell_TrayWnd
Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Program Files\AmneziaWG\amneziawg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532532 Sample: amneziawg-amd64-1.0.0.msi Startdate: 13/10/2024 Architecture: WINDOWS Score: 72 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected UAC Bypass using CMSTP 2->38 7 msiexec.exe 82 50 2->7         started        10 amneziawg.exe 4 2->10         started        12 msiexec.exe 5 2->12         started        process3 file4 24 C:\Program Files\AmneziaWG\amneziawg.exe, PE32+ 7->24 dropped 26 C:\Windows\Installer\MSIFF55.tmp, PE32+ 7->26 dropped 28 C:\Windows\Installer\MSIFF35.tmp, PE32+ 7->28 dropped 30 6 other files (none is malicious) 7->30 dropped 14 amneziawg.exe 8 3 7->14         started        16 msiexec.exe 7->16         started        18 msiexec.exe 7->18         started        20 amneziawg.exe 10->20         started        process5 process6 22 amneziawg.exe 14->22         started       
No contacted IP infos