Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
amneziawg-amd64-1.0.0.msi

Overview

General Information

Sample name:amneziawg-amd64-1.0.0.msi
Analysis ID:1532532
MD5:820f2d66357f5c1d986cbc1a41116d31
SHA1:afc5b70d421b55fc6500698d90f1a4b4a030ce11
SHA256:0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc
Tags:msiuser-Bacn
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Launches processes in debugging mode, may be used to hinder debugging
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 1248 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\amneziawg-amd64-1.0.0.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5464 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2452 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4 MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6768 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)
    • amneziawg.exe (PID: 2888 cmdline: "C:\Program Files\AmneziaWG\amneziawg.exe" MD5: 9C3859EBA6A53E9DF1D885C8147337BD)
      • amneziawg.exe (PID: 5972 cmdline: "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice MD5: 9C3859EBA6A53E9DF1D885C8147337BD)
  • amneziawg.exe (PID: 7172 cmdline: "C:\Program Files\AmneziaWG\amneziawg.exe" /managerservice MD5: 9C3859EBA6A53E9DF1D885C8147337BD)
    • amneziawg.exe (PID: 7236 cmdline: "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784 MD5: 9C3859EBA6A53E9DF1D885C8147337BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\AmneziaWG\amneziawg.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    C:\Program Files\AmneziaWG\amneziawg.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
    • 0x3c9782:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x3cf731:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x49d5cd:$s1: CoGetObject

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000006.00000000.2107191861.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.amneziawg.exe.120000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                5.2.amneziawg.exe.120000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x3c9782:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x3cf731:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x49d5cd:$s1: CoGetObject
                6.0.amneziawg.exe.120000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  6.0.amneziawg.exe.120000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x3c9782:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x3cf731:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x49d5cd:$s1: CoGetObject
                  6.2.amneziawg.exe.120000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 11 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\AmneziaWG\awg.exeVirustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: amneziawg-amd64-1.0.0.msiVirustotal: Detection: 12%Perma Link

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.2107191861.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.2112674274.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.2115401680.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2113037984.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: amneziawg.exe PID: 2888, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: amneziawg.exe PID: 5972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: amneziawg.exe PID: 7172, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: amneziawg.exe PID: 7236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPED
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWGJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\amneziawg.exeJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\awg.exeJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\wintun.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\DataJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\Data\log.binJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\Data\ConfigurationsJump to behavior
                    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58E70232-B95D-465F-878C-918D5D3FD706}Jump to behavior
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
                    Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\amd64\wintun.pdb source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdb source: wintun.dll.2.dr
                    Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\arm64\setupapihost.pdb source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdb source: wintun.dll.2.dr
                    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeFile opened: c:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                    Source: wintun.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: wintun.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: wintun.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: wintun.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                    Source: wintun.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: wintun.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: wintun.dll.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: wintun.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: wintun.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: wintun.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: wintun.dll.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: wintun.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: wintun.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: wintun.dll.2.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: wintun.dll.2.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: wintun.dll.2.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: http://ocsp.sectigo.com0
                    Source: wintun.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: wintun.dll.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: 5cf629.rbs.2.dr, MSIF83D.tmp.2.drString found in binary or memory: https://amnezia.org/
                    Source: amneziawg.exe, 00000005.00000002.2117128652.000001BD54652000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000005.00000002.2114159941.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2121487836.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000000.2113554513.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3304166869.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.drString found in binary or memory: https://amnezia.org/D
                    Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.drString found in binary or memory: https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetInt
                    Source: awg.exe.2.drString found in binary or memory: https://git.zx2c4.com/wireguard-tools/
                    Source: amneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS
                    Source: amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drString found in binary or memory: https://sectigo.com/CPS0
                    Source: amneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS2.23.140.1.4.1
                    Source: wintun.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: wintun.dll.2.drString found in binary or memory: https://www.wintun.net/
                    Source: wintun.dll.2.drString found in binary or memory: https://www.wintun.net/D
                    Source: awg.exe.2.drString found in binary or memory: https://www.wireguard.com/D
                    Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: FwpmEngineOpen0FwpmFreeMemory0handshakeZeroedGetModuleHandleclientCompositeSetActiveWindowwidget requiredCreatePopupMenuSysTabControl32ToolbarWindow32RegisterClassExExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileNotTrueTypeFontProfileNotFoundGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetMonitorInfoWGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExzipinsecurepathjstmpllitinterptarinsecurepathx509usepoliciesinvalid pointerWintunSetLoggeravx512vpopcntdq&Save to filememstr_6095ac74-8

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5cf628.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF78F.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF7DE.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{58E70232-B95D-465F-878C-918D5D3FD706}Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF83D.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF83E.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEE6.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF35.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF55.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}\wireguard.icoJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5cf62a.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5cf62a.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31F.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIF78F.tmpJump to behavior
                    Source: wintun.dll.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
                    Source: wintun.dll.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (native) Aarch64, for MS Windows
                    Source: wintun.dll.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (native) x86-64, for MS Windows
                    Source: 5.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.0.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.amneziawg.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: C:\Program Files\AmneziaWG\amneziawg.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: classification engineClassification label: mal72.expl.winMSI@13/35@0/0
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\AmneziaWGJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5120C57685445DB6.TMPJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeFile opened: C:\Windows\system32\4f6a5e4d20d21053916c13d658097deedd5efe8c912e9b275682258bd34d854bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeFile opened: C:\Windows\system32\24ee177bc0079ec5221a8eaaa4f5f8e2e613ed67872cc4927a4f9e1e9b9f224eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeFile opened: C:\Windows\system32\0669f6ab7787a1158133be85c67b76c9061938275ecc7f89568b7532bacf2b49AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeFile opened: C:\Windows\system32\1a37693da9e27d84abdcf8c0bd794905b469b01f8e5796b30225509014a7a85cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile read: C:\Program Files\desktop.iniJump to behavior
                    Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: amneziawg-amd64-1.0.0.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
                    Source: amneziawg-amd64-1.0.0.msiVirustotal: Detection: 12%
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\amneziawg-amd64-1.0.0.msi"
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe"
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice
                    Source: unknownProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /managerservice
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe"Jump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerserviceJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: AmneziaWG.lnk.2.drLNK file: ..\..\..\..\..\Program Files\AmneziaWG\amneziawg.exe
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeWindow found: window name: SysTabControl32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeWindow detected: Number of UI elements: 15
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWGJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\amneziawg.exeJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\awg.exeJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\AmneziaWG\wintun.dllJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\DataJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\Data\log.binJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeDirectory created: C:\Program Files\AmneziaWG\Data\ConfigurationsJump to behavior
                    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58E70232-B95D-465F-878C-918D5D3FD706}Jump to behavior
                    Source: amneziawg-amd64-1.0.0.msiStatic file information: File size 3366912 > 1048576
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
                    Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\amd64\wintun.pdb source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdb source: wintun.dll.2.dr
                    Source: Binary string: C:\Users\Jason A. Donenfeld\Projects\wintun\Release\arm64\setupapihost.pdb source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\amd64\driver\wintun.pdbGCTL source: wintun.dll.2.dr
                    Source: Binary string: D:\nt-driver-builder\wintun-0.14\Release\arm64\driver\wintun.pdb source: wintun.dll.2.dr
                    Source: amneziawg.exe.2.drStatic PE information: section name: .xdata
                    Source: amneziawg.exe.2.drStatic PE information: section name: .symtab
                    Source: awg.exe.2.drStatic PE information: section name: .00cfg
                    Source: wintun.dll.2.drStatic PE information: section name: .didat
                    Source: wintun.dll.2.drStatic PE information: section name: _RDATA
                    Source: MSIFF55.tmp.2.drStatic PE information: section name: .00cfg
                    Source: MSIF78F.tmp.2.drStatic PE information: section name: .00cfg
                    Source: MSIF7DE.tmp.2.drStatic PE information: section name: .00cfg
                    Source: MSIF83E.tmp.2.drStatic PE information: section name: .00cfg
                    Source: MSIFEE6.tmp.2.drStatic PE information: section name: .00cfg
                    Source: MSIFF35.tmp.2.drStatic PE information: section name: .00cfg
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeCode function: 7_2_000000E7DC1FD45C push ecx; retf 7_2_000000E7DC1FD469
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEE6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF83E.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF55.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\AmneziaWG\wintun.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF35.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\AmneziaWG\awg.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF78F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF7DE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\AmneziaWG\amneziawg.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEE6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF83E.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF55.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFF35.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF78F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF7DE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AmneziaWG.lnkJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFEE6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF83E.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFF55.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\AmneziaWG\wintun.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFF35.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\AmneziaWG\awg.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF78F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF7DE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: amneziawg.exe, 00000008.00000002.3308921083.000001F4A235E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIIi%P
                    Source: amneziawg.exe, 00000005.00000002.2117128652.000001BD54608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^|LP
                    Source: amneziawg.exe, 00000006.00000002.2124218546.0000026741E67000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000007.00000002.3307725865.00000202220E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe"Jump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerserviceJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeProcess created: C:\Program Files\AmneziaWG\amneziawg.exe "C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784Jump to behavior
                    Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriodbad restart PC-thread limit
                    Source: amneziawg.exe, 00000008.00000002.3304620491.000000C000014000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Status: UnknownShell_TrayWndStatus: UnknownShell_TrayWndListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\AmneziaWG\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
                    Source: amneziawg.exe, 00000008.00000002.3304620491.000000C00020C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AddClipboardFormatListenerTaskbarCreated&CopyCtrl+CSelect &allCtrl+AShell_TrayWnd
                    Source: amneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeQueries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformationJump to behavior
                    Source: C:\Program Files\AmneziaWG\amneziawg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		Windows Management Instrumentation1
                    Windows Service                    		1
                    Windows Service                    		22
                    Masquerading                    		11
                    Input Capture                    		11
                    Security Software Discovery                    		Remote Services11
                    Input Capture                    		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		12
                    Process Injection                    		2
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		1
                    Registry Run Keys / Startup Folder                    		12
                    Process Injection                    		Security Account Manager11
                    Peripheral Device Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		1
                    Obfuscated Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets13
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532532 Sample: amneziawg-amd64-1.0.0.msi Startdate: 13/10/2024 Architecture: WINDOWS Score: 72 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected UAC Bypass using CMSTP 2->38 7 msiexec.exe 82 50 2->7         started        10 amneziawg.exe 4 2->10         started        12 msiexec.exe 5 2->12         started        process3 file4 24 C:\Program Files\AmneziaWG\amneziawg.exe, PE32+ 7->24 dropped 26 C:\Windows\Installer\MSIFF55.tmp, PE32+ 7->26 dropped 28 C:\Windows\Installer\MSIFF35.tmp, PE32+ 7->28 dropped 30 6 other files (none is malicious) 7->30 dropped 14 amneziawg.exe 8 3 7->14         started        16 msiexec.exe 7->16         started        18 msiexec.exe 7->18         started        20 amneziawg.exe 10->20         started        process5 process6 22 amneziawg.exe 14->22         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    amneziawg-amd64-1.0.0.msi13%VirustotalBrowse
                    amneziawg-amd64-1.0.0.msi8%ReversingLabsBinary.Trojan.Generic

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files\AmneziaWG\amneziawg.exe0%ReversingLabs
                    C:\Program Files\AmneziaWG\amneziawg.exe0%VirustotalBrowse
                    C:\Program Files\AmneziaWG\awg.exe0%ReversingLabs
                    C:\Program Files\AmneziaWG\awg.exe10%VirustotalBrowse
                    C:\Program Files\AmneziaWG\wintun.dll0%ReversingLabs
                    C:\Program Files\AmneziaWG\wintun.dll0%VirustotalBrowse
                    C:\Windows\Installer\MSIF78F.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIF78F.tmp0%VirustotalBrowse
                    C:\Windows\Installer\MSIF7DE.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIF7DE.tmp0%VirustotalBrowse
                    C:\Windows\Installer\MSIF83E.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIF83E.tmp0%VirustotalBrowse
                    C:\Windows\Installer\MSIFEE6.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIFEE6.tmp0%VirustotalBrowse
                    C:\Windows\Installer\MSIFF35.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIFF35.tmp0%VirustotalBrowse
                    C:\Windows\Installer\MSIFF55.tmp0%ReversingLabs
                    C:\Windows\Installer\MSIFF55.tmp0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe
                    https://www.wintun.net/D0%VirustotalBrowse
                    https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetInt2%VirustotalBrowse
                    https://amnezia.org/D2%VirustotalBrowse
                    https://www.wireguard.com/D1%VirustotalBrowse
                    https://sectigo.com/CPS0%VirustotalBrowse
                    https://git.zx2c4.com/wireguard-tools/0%VirustotalBrowse
                    https://sectigo.com/CPS2.23.140.1.4.10%VirustotalBrowse
                    https://www.wintun.net/0%VirustotalBrowse
                    https://amnezia.org/1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.wintun.net/Dwintun.dll.2.drfalseunknown
                    http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPSamneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmpfalseunknown
                    https://amnezia.org/Damneziawg.exe, 00000005.00000002.2117128652.000001BD54652000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000005.00000002.2114159941.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2121487836.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000000.2113554513.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3304166869.00000000008C8000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.drfalseunknown
                    https://sectigo.com/CPS0amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yamneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.sectigo.com0amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetIntamneziawg.exe, 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe, 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, amneziawg.exe.2.drfalseunknown
                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zamneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.wireguard.com/Dawg.exe.2.drfalseunknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://git.zx2c4.com/wireguard-tools/awg.exe.2.drfalseunknown
                    https://www.wintun.net/wintun.dll.2.drfalseunknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://amnezia.org/5cf629.rbs.2.dr, MSIF83D.tmp.2.drfalseunknown
                    http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#amneziawg-amd64-1.0.0.msi, MSIFF35.tmp.2.dr, MSIF83E.tmp.2.dr, awg.exe.2.dr, MSIFEE6.tmp.2.dr, amneziawg.exe.2.dr, MSIFF55.tmp.2.dr, MSIF78F.tmp.2.dr, 5cf62a.msi.2.dr, 5cf628.msi.2.dr, MSIF83D.tmp.2.dr, MSIF7DE.tmp.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS2.23.140.1.4.1amneziawg.exe, 00000005.00000002.2114586043.000000C00006F000.00000004.00001000.00020000.00000000.sdmpfalseunknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1532532
                    Start date and time:2024-10-13 15:34:13 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 15s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:amneziawg-amd64-1.0.0.msi
                    Detection:MAL
                    Classification:mal72.expl.winMSI@13/35@0/0
                    EGA Information:Failed
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .msi

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target amneziawg.exe, PID 2888 because it is empty
                    • Execution Graph export aborted for target amneziawg.exe, PID 5972 because it is empty
                    • Execution Graph export aborted for target amneziawg.exe, PID 7172 because there are no executed function
                    • Execution Graph export aborted for target amneziawg.exe, PID 7236 because it is empty
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files\AmneziaWG\wintun.dllQz.exeGet hashmaliciousUnknownBrowse
                      Qz.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Trojan-PSW.Agent.32564.30919.msiGet hashmaliciousXmrigBrowse
                          SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dllGet hashmaliciousCobaltStrikeBrowse
                            NordVPNSetup.exeGet hashmaliciousBazaLoader, Mars Stealer, VidarBrowse
                              NordVPNSetup.exeGet hashmaliciousBazaLoader, Mars Stealer, VidarBrowse
                                SetupClearVPN-01G6JAV8NQQ88AZXAPVS6JGHK6.exeGet hashmaliciousXmrigBrowse

                                  Created / dropped Files

                                  C:\Config.Msi\5cf629.rbs

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8456
                                  Entropy (8bit):5.644935818005467
                                  Encrypted:false
                                  SSDEEP:96:qmh4/0u0tTHseggOZUq690TCsTlVUq690TC6jm7VKTlXsJI526QWZIpoC+pljOrk:rh4/ZGbseSSP90OIYP90Oy+IPQ5+pp
                                  MD5:93B43117CD022C5505E43817B7AE3CB1
                                  SHA1:3AD815DE22E105E8FCB513E546D01148B3CA743E
                                  SHA-256:DACB8D880D0F7F5AC4AE253C31CFCBE63C32A0FD9207A32F8426EEABE84638F9
                                  SHA-512:DEB78E2B5BB1345BD455FEB504EA0D9A66929C50F58827B08DD5DE61CCB0E4A68A2BA89BA2E5064AABC89DF46F810F09186E8B159F818BBAB34B26B95254ED0D
                                  Malicious:false
                                  Reputation:low
                                  Preview:...@IXOS.@.....@dLMY.@.....@.....@.....@.....@.....@......&.{58E70232-B95D-465F-878C-918D5D3FD706}..AmneziaWG..amneziawg-amd64-1.0.0.msi.@.....@.....@.....@......wireguard.ico..&.{A2D5D019-9934-4179-80B6-2BC1DC113919}.....@.....@.....@.....@.......@.....@.....@.......@......AmneziaWG......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{C3508D23-3362-47CE-9220-321BDB1A1ACC}&.{58E70232-B95D-465F-878C-918D5D3FD706}.@......&.{540CF446-FCC3-4452-B9FB-EB4C02780251}&.{58E70232-B95D-465F-878C-918D5D3FD706}.@......&.{AC88E408-9B78-4EB3-9D2A-99305F2E5A51}&.{58E70232-B95D-465F-878C-918D5D3FD706}.@........KillWireGuardProcesses....RemoveConfigFolder....RemoveAdapters....InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\Program Files\AmneziaWG\....(.C:\Program Files\AmneziaWG\amneziawg.exe....".C:\Program Files\AmneziaWG\awg.exe....%.C:\Program Files\AmneziaWG\wintun.dll....C

                                  C:\Config.Msi\5cf62b.rbs

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):417
                                  Entropy (8bit):5.064302522613033
                                  Encrypted:false
                                  SSDEEP:6:Ea3LM6b0/+/YeIy2Xdufd5h8VljlTqnHqdkGXcgmll/VnpLBdsuRYaRsjFD/:Egl0mB52Enh2ZTqZ3j//7bfNo7
                                  MD5:C662BBD57ED03BFE9C382818A0CB7739
                                  SHA1:F627CBF3B85AB4F1FE95EE8ECA50D0E2EB3B2742
                                  SHA-256:C9CDA31B78EAF4E4B56E5B9C00F64F2CBEE3C8000B58BB280066B771175C9688
                                  SHA-512:075B539EF842C3A269CC34329E7D35CC7163B824E6D74341D8E747BC2CA6DF8B2CAC5BD89BDA4C5A5D9D18AE3D74C2821753F823D8C04D9985F5BBAF05CF3A6B
                                  Malicious:false
                                  Reputation:low
                                  Preview:...@IXOS.@.....@dLMY.@.....@.....@.....@.....@.....@......&.{58E70232-B95D-465F-878C-918D5D3FD706}..AmneziaWG..amneziawg-amd64-1.0.0.msi.@.....@.....@.....@......wireguard.ico..&.{A2D5D019-9934-4179-80B6-2BC1DC113919}.....@.....@.....@.....@.......@.....@.....@.......@......AmneziaWG......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....LaunchApplication...@.....@.....@....

                                  C:\Program Files\AmneziaWG\Data\log.bin

                                  Download File
                                  Process:C:\Program Files\AmneziaWG\amneziawg.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1064968
                                  Entropy (8bit):0.002782440687869065
                                  Encrypted:false
                                  SSDEEP:6:Mo/lWd+oiu6H2AKTKBvb+oiu6TmduWVyF9gzrP5C:Mo+iu6WAKTKBvjiu6pF+zr
                                  MD5:D79ED0A48931B26C3A1E3A0D3B988E97
                                  SHA1:7847DB77C6D7F5387925B531A00FD6C918B52A9D
                                  SHA-256:1D2B1D49369538EF8DED1276A379404474FA75A74DBAC9C055AEDBC7F6560962
                                  SHA-512:EDB0D7E729BAC3641457D16060BBCCC0581F23E04DBAD46C949020384327F90E42652B5D6C9081FB0DF0BEAE4F1A0E54AA5A95A36208E8AE87D590BC26545BFE
                                  Malicious:false
                                  Reputation:low
                                  Preview:........4.GC....[MGR] Starting AmneziaWG/1.0.0 (Windows 10.0.19045; amd64)......................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.GC....[MGR] Starting UI process for user .user@user-PC. for session 1.........................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Program Files\AmneziaWG\amneziawg.exe

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):8231576
                                  Entropy (8bit):6.279002018539988
                                  Encrypted:false
                                  SSDEEP:98304:jHJNGoKgovuzo8bhevZrQZXE79+tA3wUkQok:xo27hevxKU7otA8QR
                                  MD5:9C3859EBA6A53E9DF1D885C8147337BD
                                  SHA1:2ADB6CC21F9973F1AA7A083FE86C4B88A9A5F58C
                                  SHA-256:BA23F928C64CCA759BBF6F1F8318300EA384662F8B0C40BF22EB059BEEFC37AF
                                  SHA-512:3824CB357C508F7A87894AF928D97AD99D543E950AF19BD82C0EDDA2196F36D272D27B54F1315A85921A41FB346B75B261E1FD366021F2B9623F810229300B93
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files\AmneziaWG\amneziawg.exe, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Program Files\AmneziaWG\amneziawg.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........bq......."......./...................@.....................................s&~...`... ..............................................@y.T.....z.......w..h...l}......Py..................................................... Vj..............................text...../......./................. ..`.rdata...#;.. /..$;.../.............@..@.data...`l...Pj......,j.............@....pdata...h....w..j....n.............@..@.xdata.......0y......:p.............@..@.idata..T....@y......<p.............@....reloc.......Py.. ...Bp.............@..B.symtab......pz......bq................B.rsrc.........z......dq.............@..@........................................................................................................................................................................................................................................................

                                  C:\Program Files\AmneziaWG\awg.exe

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):150680
                                  Entropy (8bit):6.431183509532422
                                  Encrypted:false
                                  SSDEEP:3072:9i/PHaRDZTTCRqsTyLTzjaVqCtohz6y71BWIalU7N:AnYTeTyLTzjaVqCGhz9JalU7N
                                  MD5:6F6E6D9DE9A73F3D631647FC7D11896A
                                  SHA1:CB3D2905DAB453FABFBDC45B8AD29AE949976BBC
                                  SHA-256:83E87F0785FCFF3C76B18178CB0DAD18693E5DE192EEC095C3EEB15C97F9C0B4
                                  SHA-512:A02120A8FB7B278FC4F69AB97E826FB4180D9974B6D1D6C00123E5829EAECB3B07C60BB981197E236B4BEBF9C5AB87291FFF4A8D3DA72869077300E768676990
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 10%, Browse
                                  Reputation:low
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...q4.f.........."..........\......P..........@.....................................#....`.....................................................,...............$...............................................(.......8...................x........................text............................... ..`.rdata...=.......>..................@..@.data...Mw..........................@....pdata..$...........................@..@.00cfg..............................@..@.tls................................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                  C:\Program Files\AmneziaWG\wintun.dll

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):427552
                                  Entropy (8bit):6.403238889707664
                                  Encrypted:false
                                  SSDEEP:6144:uNsLgQtz9nDZL4tFDjiaOE1DfsnyDQhWmnPIt:iggQh9nD2tFviW4/Qt
                                  MD5:E861EB5789C50997D9476A6172D1C269
                                  SHA1:647EB6588B149EFE2477FD192C8CAB74D018D8EF
                                  SHA-256:E5DA8447DC2C320EDC0FC52FA01885C103DE8C118481F683643CACC3220DAFCE
                                  SHA-512:D8B49A6834C1EA5D73FEE6979C59DEF18900C86D598EA900AB741CE71EEFDAAADB4862AFEFA14E6CC093007EAE5D4325857633549F1ADE555BAA0344B18E6112
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: Qz.exe, Detection: malicious, Browse
                                  • Filename: Qz.exe, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.Trojan-PSW.Agent.32564.30919.msi, Detection: malicious, Browse
                                  • Filename: SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll, Detection: malicious, Browse
                                  • Filename: NordVPNSetup.exe, Detection: malicious, Browse
                                  • Filename: NordVPNSetup.exe, Detection: malicious, Browse
                                  • Filename: SetupClearVPN-01G6JAV8NQQ88AZXAPVS6JGHK6.exe, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........0...^...^...^.3.]..^.3.[.o.^..Z..^..]..^..[...^.3.Z..^.3._..^......^..._._.^.X.V..^.X.^..^.X....^......^.X.\..^.Rich..^.........................PE..d.....ka.........." .....&...>.......................................................r....`A.........................................).......+..<............`.......V.. 0..........@...T...........................0G..8............@......t........................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data...`....@.......$..............@....pdata.......`.......0..............@..@.didat...............L..............@..._RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............N..............@..B................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AmneziaWG.lnk

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Aug 22 04:05:40 2024, mtime=Sun Oct 13 12:35:06 2024, atime=Thu Aug 22 04:05:40 2024, length=8231576, window=hide
                                  Category:dropped
                                  Size (bytes):1074
                                  Entropy (8bit):4.617864126284117
                                  Encrypted:false
                                  SSDEEP:24:85znrwuddcdit/xKyAv13MVd8EGd8kJsMb+yfm:8xrzddhJKRtMdtGdd
                                  MD5:66B0548B9440535A96B487880504BA0D
                                  SHA1:CBA5C9E068163283B0B689951A8BCF5E457F64B8
                                  SHA-256:28474C1AF3E5CF0BD58C38E6349B9749CFC5CC47F037406152DD3EC10239C4D1
                                  SHA-512:1E536DFAA5B7D88F39A2D17DC85F85204179A2DC59893A045E91CC6041832F163793FBC800AB4B0042806FA59B4CD467CF2F881CE7EC0499E0C27E64102E4AC6
                                  Malicious:false
                                  Preview:L..................F.... ....*..P.....s.t....*..P.....}..........................P.O. .:i.....+00.../C:\.....................1.....MYdl..PROGRA~1..t......O.IMYdl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....\.1.....MYdl..AMNEZI~1..D......MYdlMYdl..........................B2}.A.m.n.e.z.i.a.W.G.....h.2...}..Y.( .AMNEZI~1.EXE..L.......Y.(MYdl..............................a.m.n.e.z.i.a.w.g...e.x.e.......W...............-.......V...........?IlQ.....C:\Program Files\AmneziaWG\amneziawg.exe..*.A.m.n.e.z.i.a.W.G.:. .F.a.s.t.,. .M.o.d.e.r.n.,. .S.e.c.u.r.e. .V.P.N. .T.u.n.n.e.l.4.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.m.n.e.z.i.a.W.G.\.a.m.n.e.z.i.a.w.g...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.m.n.e.z.i.a.W.G.\.........&................c^...NI..e.2.......`.......X.......618321...........hT..CrF.f4... .T|2=.b...,...W..hT..CrF.f4... .T|2=.b...,...W.........A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8

                                  C:\Windows\Installer\5cf628.msi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AmneziaWG: Fast, Modern, Secure VPN Tunnel, Author: Amnezia, Keywords: Installer, Comments: This installer database contains the logic and data required to install AmneziaWG., Template: x64;1033, Revision Number: {A2D5D019-9934-4179-80B6-2BC1DC113919}, Create Time/Date: Wed Aug 21 23:07:50 2024, Last Saved Time/Date: Wed Aug 21 23:07:50 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 4
                                  Category:dropped
                                  Size (bytes):3366912
                                  Entropy (8bit):7.9034206690246025
                                  Encrypted:false
                                  SSDEEP:49152:DUqcXPxspPbZGfz2qKqmOQKsGc28k0aAfCWop2RYmVXbnD2mNoRv:wpXcDMfz2qtmOGGcjdy2OfYo
                                  MD5:820F2D66357F5C1D986CBC1A41116D31
                                  SHA1:AFC5B70D421B55FC6500698D90F1A4B4A030CE11
                                  SHA-256:0F1172401EE28D8BFD15EBD4818E64B6001CD38E04D81AB1D096010EBA40C9DC
                                  SHA-512:953CC34418782304E121213A64E6DE3DC1DC67E96ACAF3686F40854C42805F0E12DEC8E3EF710B5F00AB195BD4BB16FF1E3AE3413872BC846A0EBBDE146BFB62
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\5cf62a.msi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AmneziaWG: Fast, Modern, Secure VPN Tunnel, Author: Amnezia, Keywords: Installer, Comments: This installer database contains the logic and data required to install AmneziaWG., Template: x64;1033, Revision Number: {A2D5D019-9934-4179-80B6-2BC1DC113919}, Create Time/Date: Wed Aug 21 23:07:50 2024, Last Saved Time/Date: Wed Aug 21 23:07:50 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 4
                                  Category:dropped
                                  Size (bytes):3366912
                                  Entropy (8bit):7.9034206690246025
                                  Encrypted:false
                                  SSDEEP:49152:DUqcXPxspPbZGfz2qKqmOQKsGc28k0aAfCWop2RYmVXbnD2mNoRv:wpXcDMfz2qtmOGGcjdy2OfYo
                                  MD5:820F2D66357F5C1D986CBC1A41116D31
                                  SHA1:AFC5B70D421B55FC6500698D90F1A4B4A030CE11
                                  SHA-256:0F1172401EE28D8BFD15EBD4818E64B6001CD38E04D81AB1D096010EBA40C9DC
                                  SHA-512:953CC34418782304E121213A64E6DE3DC1DC67E96ACAF3686F40854C42805F0E12DEC8E3EF710B5F00AB195BD4BB16FF1E3AE3413872BC846A0EBBDE146BFB62
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSI31F.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):506
                                  Entropy (8bit):5.181543076027376
                                  Encrypted:false
                                  SSDEEP:6:Ea3LM6b0/7/YeIy2Xdufd5h8VljlTqnHqdkGXcgmll/VnpLBdsuRYaRsjsE/rW5m:Egl0LB52Enh2ZTqZ3j//7bfNEShQpG2l
                                  MD5:B2E94826DC55252BE712ED595357F9D0
                                  SHA1:4A7A9B6DBFFA4A11B7B081733577A3CE2014E63F
                                  SHA-256:ABFEAA703EAF0C033E81F7477B1B92BA0BDB61ED51D1147E537577191F99517B
                                  SHA-512:EA8202F52842B8E225204CED67CAED5F57A272D54B7650B3570EF4107249169A601C8CE39FEB459BA11F9553AA8B381C9CD3E63A81116469D363BCDBF8CE5893
                                  Malicious:false
                                  Preview:...@IXOS.@.....@dLMY.@.....@.....@.....@.....@.....@......&.{58E70232-B95D-465F-878C-918D5D3FD706}..AmneziaWG..amneziawg-amd64-1.0.0.msi.@.....@.....@.....@......wireguard.ico..&.{A2D5D019-9934-4179-80B6-2BC1DC113919}.....@.....@.....@.....@.......@.....@.....@.......@......AmneziaWG......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........LaunchApplication....J...LaunchApplication.@.,..(.C:\Program Files\AmneziaWG\amneziawg.exe...@.....@.....@....

                                  C:\Windows\Installer\MSIF78F.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSIF7DE.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSIF83D.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):581664
                                  Entropy (8bit):6.704047229061242
                                  Encrypted:false
                                  SSDEEP:12288:NjpSlL7ujpSlL77jpSlL7LRWCpkOhfTp/oHCUiWnv2K:NjpuL7ujpuL77jpuL7L2mNoHDtnvP
                                  MD5:CB2BCDA747C0B58276F1EA463518F19E
                                  SHA1:3FE250AA069E344FADA67AE1679111F8C179A83E
                                  SHA-256:44A44C9A9C790561F4DF80C22172C53693CB1F1EE7F2F521AF498EAD2DCCDB92
                                  SHA-512:F0201D7AC6F9AE3810073CBC9C1C28A9A881000BF89A419CCB01CE99EF37A11C0449D60657E0978B74B8B06AC74F23CA1E9B1FBE21FE519F29258124FA38E89F
                                  Malicious:false
                                  Preview:...@IXOS.@.....@cLMY.@.....@.....@.....@.....@.....@......&.{58E70232-B95D-465F-878C-918D5D3FD706}..AmneziaWG..amneziawg-amd64-1.0.0.msi.@.....@.....@.....@......wireguard.ico..&.{A2D5D019-9934-4179-80B6-2BC1DC113919}.....@.....@.....@.....@.......@.....@.....@.......@......AmneziaWG......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{C3508D23-3362-47CE-9220-321BDB1A1ACC}(.C:\Program Files\AmneziaWG\amneziawg.exe.@.......@.....@.....@......&.{540CF446-FCC3-4452-B9FB-EB4C02780251}".C:\Program Files\AmneziaWG\awg.exe.@.......@.....@.....@......&.{AC88E408-9B78-4EB3-9D2A-99305F2E5A51}%.C:\Program Files\AmneziaWG\wintun.dll.@.......@.....@.....@........KillWireGuardProcesses....J...KillWireGuardProcesses.@..........MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........."

                                  C:\Windows\Installer\MSIF83E.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSIFEE6.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSIFF35.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\MSIFF55.tmp

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):37056
                                  Entropy (8bit):6.244571548599621
                                  Encrypted:false
                                  SSDEEP:768:V4Q/nsq/a9oPIc2pSPXyvhElv5x3iPmbLUD:V4csjc2pioalvD78D
                                  MD5:811CFC3E9E1DF71228E30AA77ED9F718
                                  SHA1:A12758985729C86868ED099C04EE177591E47DC7
                                  SHA-256:400F7BE58EDF92533C08D1E1157C6216F5E3C80054E9974C6DC0AAE0A895CB3D
                                  SHA-512:14428979B51088F692241505F52D269558DB65E7C7733B000DD4D744F1B71FBE9B7FAE9753CB3D7047C941F1BA9F13D58E8A20B88EF784673530A19B11C40554
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...1e.f.........." .....0..........................................................%H....`.........................................(Q......<R.......................b..........|...........................HM..(...xO..8............V..@............................text...f/.......0.................. ..`.rdata..@#...@...$...4..............@..@.data...\....p.......X..............@....pdata...............Z..............@..@.00cfg...............\..............@..@.tls.................^..............@....reloc..|............`..............@..B................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\SourceHash{58E70232-B95D-465F-878C-918D5D3FD706}

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):1.1698040308946642
                                  Encrypted:false
                                  SSDEEP:12:JSbX72Fj8JAGiLIlHVRpuBh/7777777777777777777777777vDHFN+m08h2Xl0G:J+JQI58/umXF
                                  MD5:A8B09DD9A35843E23557C4F6813F4DE7
                                  SHA1:C9A14684744D73C39A0DF67400FF8429CD44718E
                                  SHA-256:17E5886759E8483BE68F7AC7545BCE4453D75978D280016CDDCBD30C3A3AAF84
                                  SHA-512:F11FE589A2C83B751E04824876666264F861C60998EA093D940CF8A654BEB9E21FCAEF106BE5D8A9DA736294A94E723224C83CE27959E1043087CE190B1C0796
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):1.4276987368832854
                                  Encrypted:false
                                  SSDEEP:48:7R8PhkuRc06WXJcjT5mmbS5trDSIR78sBp:Ihk1/jT4mbeB
                                  MD5:AF7CFBD58349F4B3059E2A8378D22767
                                  SHA1:7278AA1A2B9559EBABBED99452671F7F7C3E97DF
                                  SHA-256:EA1C5443B6FD4FBA504C2FB9E51BE8C9D02C43D2308DC0E6ED62E8322D2870FA
                                  SHA-512:1C2AE6E1491BFF1089D0700765632EA510D93AEF2711DACEA3A75566DD7477C60137AFE8999AEBD14FFBB603C656CDEE8A9A76AAB4783D7AE2883F67AC42B654
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Installer\{58E70232-B95D-465F-878C-918D5D3FD706}\wireguard.ico

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:MS Windows icon resource - 11 icons, 256x256 with PNG image data, 256 x 256, 16-bit/color RGBA, non-interlaced, 32 bits/pixel, -64x-64, 32 bits/pixel
                                  Category:dropped
                                  Size (bytes):467632
                                  Entropy (8bit):6.6534794429987665
                                  Encrypted:false
                                  SSDEEP:6144:iolRWLfGCi0OkOhwQXeC3Z/oKuCebiQnnv2c:RRWCpkOhfTp/oHCUiWnv2
                                  MD5:10609B5124D8ABB40699453E46054961
                                  SHA1:01DC5983E65542B8B6BF6F387934D2C089247BE3
                                  SHA-256:36C8B832DACEAC2E85F84A81B2EEB1697ABE53DAAF7F5C7E73B83828D314C949
                                  SHA-512:8752F5461A82FCFE69DB9199A92F8EBC07A23DFB2DDD3940E835D320089C36EB4E9DF11ACD4C2C9AC8980EAE5FD7B5FECDB62A8AF667FE876AB2F491E8ACDDF7
                                  Malicious:false
                                  Preview:............ .z............. .(R..0......... .(...X...``.... .........@@.... .(B..({..00.... ..%..P...((.... .h....... .... .....`......... ............... ............... .h...H....PNG........IHDR...............t%....IDATx..u.UU.....rh&..A%$$D.............;.[..........{....{.{g.....}.yf}>...{.}..k...%TQ.U..R......H]n7.b.......4..(.Vy.Io..|+g..X..o.;AR)..{...C...Gn.Jkj.4......9Z..q...k...8yYVrL..Mon.%57..m...'2..y..4.0.q..6....1..f....r3gf.2..{..Q....~-...2;.-.C...t6.S=.%(Cy/|<>.@.<O...L..>..)..02...`./...|....e%..GW3..7......./S(....y.I.f..Z2dM.....N..M..%..~g..~...<.?...y.....}.c...5.........pc.Z.o.6?.P.[...\3...<.._...g............#/..2.....O.*...3....UTE.'j.c.m....2n...=...N.+}%......y-.....).;.s.m.z.d.".#...N#..../.K_&....L...?....y....7.[.......D....".$S?.6mi&....).i....RW.f. ...<...r...D).@0z}-.....g.c..?...td9....@]<...-.Zx.~.|. ..._5..\..}t...5......bN...........n..$i..+...f../.b..m..y..f&s...2.4....-..j.k&d.o.th.^...'E/.3...g.Z(..v.

                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):364484
                                  Entropy (8bit):5.3654941753840815
                                  Encrypted:false
                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauE:zTtbmkExhMJCIpE3
                                  MD5:9253ED198E99B6757AA92E68F34176C2
                                  SHA1:FB12BAD2F2A61226D861E4D25C8AFDDA37622E60
                                  SHA-256:32FF983CF93B992B4B59C200FE906C115A7C374669B8DC63C0F36C03542E7978
                                  SHA-512:9B506AA48ABBA0D60B43DBB7F057791CC7811A8B3D2CAB38437CCEAA51969B199C97C3549714BA1E2FBB8DBA5B8AD81F91F3FF2A4E34567560AE0CA0F8626ED9
                                  Malicious:false
                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                  C:\Windows\Temp\~DF171E38FEF6C7A7BE.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):32768
                                  Entropy (8bit):1.1534680248717266
                                  Encrypted:false
                                  SSDEEP:24:JAYh+3gmMuxAiEipKP2xza2tzhAVZZagUMClXtdoiWm+lcipV7VQwGAlrkgDipVn:OnrMuyJveFXJ3T5GmbS5trDSIR78sBp
                                  MD5:ED2A4B0196A89074915C7068FB660BDF
                                  SHA1:7333EB6BC8EE2E5871FAE927ABF6300821D1FDEB
                                  SHA-256:2BC3D5D1D623F1DA60D2F5E1FCEBE176B1ADBC9D9CEF7697F5032FD159219DBC
                                  SHA-512:42F80DC3C69D27DBFFCF6D1C4E1E5B0B74FB062B886F4FF9A39DBFF168F89626C7B886930A1CFB0AF11B29D96660EE135113314F953A7FDAB7B56533DFF80A74
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF19A44DD9D7690F1F.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF27D36527F66F01F3.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF2B40DB00FD8C43C1.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF3054A7DEFC3B566B.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):32768
                                  Entropy (8bit):1.1534680248717266
                                  Encrypted:false
                                  SSDEEP:24:JAYh+3gmMuxAiEipKP2xza2tzhAVZZagUMClXtdoiWm+lcipV7VQwGAlrkgDipVn:OnrMuyJveFXJ3T5GmbS5trDSIR78sBp
                                  MD5:ED2A4B0196A89074915C7068FB660BDF
                                  SHA1:7333EB6BC8EE2E5871FAE927ABF6300821D1FDEB
                                  SHA-256:2BC3D5D1D623F1DA60D2F5E1FCEBE176B1ADBC9D9CEF7697F5032FD159219DBC
                                  SHA-512:42F80DC3C69D27DBFFCF6D1C4E1E5B0B74FB062B886F4FF9A39DBFF168F89626C7B886930A1CFB0AF11B29D96660EE135113314F953A7FDAB7B56533DFF80A74
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF32FB9BB0FF2C5BDB.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):32768
                                  Entropy (8bit):1.1534680248717266
                                  Encrypted:false
                                  SSDEEP:24:JAYh+3gmMuxAiEipKP2xza2tzhAVZZagUMClXtdoiWm+lcipV7VQwGAlrkgDipVn:OnrMuyJveFXJ3T5GmbS5trDSIR78sBp
                                  MD5:ED2A4B0196A89074915C7068FB660BDF
                                  SHA1:7333EB6BC8EE2E5871FAE927ABF6300821D1FDEB
                                  SHA-256:2BC3D5D1D623F1DA60D2F5E1FCEBE176B1ADBC9D9CEF7697F5032FD159219DBC
                                  SHA-512:42F80DC3C69D27DBFFCF6D1C4E1E5B0B74FB062B886F4FF9A39DBFF168F89626C7B886930A1CFB0AF11B29D96660EE135113314F953A7FDAB7B56533DFF80A74
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF5120C57685445DB6.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):69632
                                  Entropy (8bit):0.08901037541349023
                                  Encrypted:false
                                  SSDEEP:24:ItzpYeMR78OipVvipV7VQwGAlrkgzi+PY:IBpsR78OS9S5tr2A
                                  MD5:FBD7F255B917A1F148E9F73ABD5670C8
                                  SHA1:2CABF7E2DDE40C86A6D87F93A57C44A870A713F0
                                  SHA-256:5AB0FABD1CDBB8300F6E6B22AA7A0D77AEDB7707EA174315CF014E876E0537AA
                                  SHA-512:978E3B24B73413B2790886D07538F3065D5650AD69874247D047E4128FDC466EC2DAB412C6E331A015AB8C4BB0A6F2A6DF37D722F9B764B57904F646DD743D80
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF6FA7B47A9E598523.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):32768
                                  Entropy (8bit):0.07612848835150864
                                  Encrypted:false
                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOJDg7HIeI0G5h8hyVky6lX:2F0i8n0itFzDHFN+m08h2X
                                  MD5:6984965D79C01CB4213EA31007696179
                                  SHA1:F57E6A1AD8B31B1D628337624413174E822E8A45
                                  SHA-256:85E545C16F78FB58D937247CCE2D64092D0EB22AFC1FA778E505842BA5E4AB00
                                  SHA-512:52C0CC4D1E44D8EC705772D00BB2B04AD10CD941159048D689938314794A4DC52C4CB785E860EE67F543F2BD58EE98235773107F08C3208166FE187D0CDBE90E
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DF8537266379416B14.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DFA9A777426A3B86CC.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):1.4276987368832854
                                  Encrypted:false
                                  SSDEEP:48:7R8PhkuRc06WXJcjT5mmbS5trDSIR78sBp:Ihk1/jT4mbeB
                                  MD5:AF7CFBD58349F4B3059E2A8378D22767
                                  SHA1:7278AA1A2B9559EBABBED99452671F7F7C3E97DF
                                  SHA-256:EA1C5443B6FD4FBA504C2FB9E51BE8C9D02C43D2308DC0E6ED62E8322D2870FA
                                  SHA-512:1C2AE6E1491BFF1089D0700765632EA510D93AEF2711DACEA3A75566DD7477C60137AFE8999AEBD14FFBB603C656CDEE8A9A76AAB4783D7AE2883F67AC42B654
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DFAFDA2FDFEB2CB0CC.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DFB07866E82BACF370.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):32768
                                  Entropy (8bit):1.1534680248717266
                                  Encrypted:false
                                  SSDEEP:24:JAYh+3gmMuxAiEipKP2xza2tzhAVZZagUMClXtdoiWm+lcipV7VQwGAlrkgDipVn:OnrMuyJveFXJ3T5GmbS5trDSIR78sBp
                                  MD5:ED2A4B0196A89074915C7068FB660BDF
                                  SHA1:7333EB6BC8EE2E5871FAE927ABF6300821D1FDEB
                                  SHA-256:2BC3D5D1D623F1DA60D2F5E1FCEBE176B1ADBC9D9CEF7697F5032FD159219DBC
                                  SHA-512:42F80DC3C69D27DBFFCF6D1C4E1E5B0B74FB062B886F4FF9A39DBFF168F89626C7B886930A1CFB0AF11B29D96660EE135113314F953A7FDAB7B56533DFF80A74
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DFF2E9B7069D91F4A0.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\Temp\~DFFA6536A0857EB04D.TMP

                                  Download File
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):1.4276987368832854
                                  Encrypted:false
                                  SSDEEP:48:7R8PhkuRc06WXJcjT5mmbS5trDSIR78sBp:Ihk1/jT4mbeB
                                  MD5:AF7CFBD58349F4B3059E2A8378D22767
                                  SHA1:7278AA1A2B9559EBABBED99452671F7F7C3E97DF
                                  SHA-256:EA1C5443B6FD4FBA504C2FB9E51BE8C9D02C43D2308DC0E6ED62E8322D2870FA
                                  SHA-512:1C2AE6E1491BFF1089D0700765632EA510D93AEF2711DACEA3A75566DD7477C60137AFE8999AEBD14FFBB603C656CDEE8A9A76AAB4783D7AE2883F67AC42B654
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AmneziaWG: Fast, Modern, Secure VPN Tunnel, Author: Amnezia, Keywords: Installer, Comments: This installer database contains the logic and data required to install AmneziaWG., Template: x64;1033, Revision Number: {A2D5D019-9934-4179-80B6-2BC1DC113919}, Create Time/Date: Wed Aug 21 23:07:50 2024, Last Saved Time/Date: Wed Aug 21 23:07:50 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 4
                                  Entropy (8bit):7.9034206690246025
                                  TrID:
                                  • Microsoft Windows Installer (60509/1) 88.31%
                                  • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                  File name:amneziawg-amd64-1.0.0.msi
                                  File size:3'366'912 bytes
                                  MD5:820f2d66357f5c1d986cbc1a41116d31
                                  SHA1:afc5b70d421b55fc6500698d90f1a4b4a030ce11
                                  SHA256:0f1172401ee28d8bfd15ebd4818e64b6001cd38e04d81ab1d096010eba40c9dc
                                  SHA512:953cc34418782304e121213a64e6de3dc1dc67e96acaf3686f40854c42805f0e12dec8e3ef710b5f00ab195bd4bb16ff1e3ae3413872bc846a0ebbde146bfb62
                                  SSDEEP:49152:DUqcXPxspPbZGfz2qKqmOQKsGc28k0aAfCWop2RYmVXbnD2mNoRv:wpXcDMfz2qtmOGGcjdy2OfYo
                                  TLSH:05F501641FC6EFADE24A94BC57907311A0699C684ABB2441FE6774C2E233CD4BB87335
                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                  File Icon

                                  Icon Hash:2d2e3797b32b2b99

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:35:03
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\amneziawg-amd64-1.0.0.msi"
                                  Imagebase:0x7ff701830000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:09:35:04
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                  Imagebase:0x7ff701830000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:09:35:04
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\MsiExec.exe -Embedding 737408F332C72DA581C627ECA815EDF4
                                  Imagebase:0x7ff701830000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:09:35:06
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\MsiExec.exe -Embedding 038BD3729F1160F66BF25AB2649B1B39 E Global\MSI0000
                                  Imagebase:0x7ff701830000
                                  File size:69'632 bytes
                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:09:35:07
                                  Start date:13/10/2024
                                  Path:C:\Program Files\AmneziaWG\amneziawg.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\AmneziaWG\amneziawg.exe"
                                  Imagebase:0x120000
                                  File size:8'231'576 bytes
                                  MD5 hash:9C3859EBA6A53E9DF1D885C8147337BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Go lang
                                  Yara matches:
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000000.2085370840.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2113037984.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files\AmneziaWG\amneziawg.exe, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Program Files\AmneziaWG\amneziawg.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 0%, ReversingLabs
                                  • Detection: 0%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:09:35:09
                                  Start date:13/10/2024
                                  Path:C:\Program Files\AmneziaWG\amneziawg.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\AmneziaWG\amneziawg.exe" /installmanagerservice
                                  Imagebase:0x120000
                                  File size:8'231'576 bytes
                                  MD5 hash:9C3859EBA6A53E9DF1D885C8147337BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Go lang
                                  Yara matches:
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000000.2107191861.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:09:35:10
                                  Start date:13/10/2024
                                  Path:C:\Program Files\AmneziaWG\amneziawg.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\AmneziaWG\amneziawg.exe" /managerservice
                                  Imagebase:0x120000
                                  File size:8'231'576 bytes
                                  MD5 hash:9C3859EBA6A53E9DF1D885C8147337BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Go lang
                                  Yara matches:
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.3303353863.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000000.2112674274.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:09:35:10
                                  Start date:13/10/2024
                                  Path:C:\Program Files\AmneziaWG\amneziawg.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\AmneziaWG\amneziawg.exe" /ui 768 764 776 784
                                  Imagebase:0x120000
                                  File size:8'231'576 bytes
                                  MD5 hash:9C3859EBA6A53E9DF1D885C8147337BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Go lang
                                  Yara matches:
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000000.2115401680.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 0018E2A0 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2109654361.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000005.00000002.2109110565.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113037984.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113581216.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113608660.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113631062.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113659842.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113693090.00000000007F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113716394.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113738282.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113782579.00000000007F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113814915.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113841279.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113873629.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113908051.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114098483.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114131273.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114159941.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114159941.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction ID: 2b78b1f84ecd2d89a5f21ed1810db49c53e2c72a3cf227b67fb2cc105b431443
                                    • Opcode Fuzzy Hash: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction Fuzzy Hash: 0931982391CFC482D3219B24F5413AAB364F7A9784F15A715EFC812A1ADF38E2E5CB40
                                    Function 0018A5E0 Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2109654361.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000005.00000002.2109110565.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113037984.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113581216.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113608660.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113631062.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113659842.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113693090.00000000007F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113716394.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113738282.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113782579.00000000007F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113814915.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113841279.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113873629.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113908051.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2113942902.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114098483.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114131273.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114159941.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000005.00000002.2114159941.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction ID: 744121e6742b231ccbee0e060745acec4ba2297e7e8b06128d33ca58f3eb3483
                                    • Opcode Fuzzy Hash: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction Fuzzy Hash:

                                    Executed Functions

                                    Function 0018E2A0 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2120292627.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000006.00000002.2120261660.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2120974064.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121002732.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121030705.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121062816.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121104691.00000000007F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121132134.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121157013.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121181871.00000000007F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121213701.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121251885.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121275643.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121299363.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121439529.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121464056.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121487836.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121487836.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction ID: 2b78b1f84ecd2d89a5f21ed1810db49c53e2c72a3cf227b67fb2cc105b431443
                                    • Opcode Fuzzy Hash: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction Fuzzy Hash: 0931982391CFC482D3219B24F5413AAB364F7A9784F15A715EFC812A1ADF38E2E5CB40
                                    Function 0018A5E0 Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.2120292627.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000006.00000002.2120261660.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2120585281.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2120974064.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121002732.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121030705.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121062816.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121104691.00000000007F6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121132134.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121157013.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121181871.00000000007F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121213701.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121251885.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121275643.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121299363.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121322806.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121439529.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121464056.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121487836.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000006.00000002.2121487836.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction ID: 744121e6742b231ccbee0e060745acec4ba2297e7e8b06128d33ca58f3eb3483
                                    • Opcode Fuzzy Hash: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction Fuzzy Hash:

                                    Executed Functions

                                    Function 0018E2A0 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.3302971222.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000008.00000002.3302915105.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303647365.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303679917.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303707948.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303732636.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303768612.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303794221.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303818493.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303846004.00000000007FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303871580.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303899704.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303925402.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303952516.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304109341.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304139969.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304166869.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304166869.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction ID: 2b78b1f84ecd2d89a5f21ed1810db49c53e2c72a3cf227b67fb2cc105b431443
                                    • Opcode Fuzzy Hash: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
                                    • Instruction Fuzzy Hash: 0931982391CFC482D3219B24F5413AAB364F7A9784F15A715EFC812A1ADF38E2E5CB40
                                    Function 0018A5E0 Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.3302971222.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                    • Associated: 00000008.00000002.3302915105.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303350962.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303647365.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303679917.00000000007CA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303707948.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303732636.00000000007CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303768612.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303794221.00000000007F7000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303818493.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303846004.00000000007FA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303871580.00000000007FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303899704.0000000000808000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303925402.000000000080B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303952516.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.0000000000829000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.000000000082F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3303977792.0000000000897000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304109341.000000000089C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304139969.00000000008B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304166869.00000000008B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000008.00000002.3304166869.00000000008C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_120000_amneziawg.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction ID: 744121e6742b231ccbee0e060745acec4ba2297e7e8b06128d33ca58f3eb3483
                                    • Opcode Fuzzy Hash: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
                                    • Instruction Fuzzy Hash: