Source: awg.exe |
Virustotal: Detection: 12% |
Perma Link |
Source: awg.exe |
Static PE information: certificate valid |
Source: awg.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D404C30 SetupDiGetClassDevsExW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,SetupDiEnumDeviceInfo,WideCharToMultiByte,malloc,WideCharToMultiByte,strlen,free,realloc,memcpy,_errno,free,SetupDiEnumDeviceInfo,GetLastError,calloc,free,SetupDiDestroyDeviceInfoList,FindFirstFileA,memcpy,FindNextFileA,memcmp,strlen,realloc,_errno,_errno,_errno,_errno,_errno,FindClose,_errno,_errno,_errno,free, |
0_2_00007FF73D404C30 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D406500 FindFirstFileA,FindNextFileA,strcmp,FindNextFileA,FindClose,strcmp, |
0_2_00007FF73D406500 |
Source: awg.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: awg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y |
Source: awg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: awg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z |
Source: awg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0 |
Source: awg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0# |
Source: awg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: awg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0# |
Source: awg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0# |
Source: awg.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: awg.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: awg.exe |
String found in binary or memory: https://git.zx2c4.com/wireguard-tools/ |
Source: awg.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: awg.exe |
String found in binary or memory: https://www.wireguard.com/D |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D406C50: fwrite,fwrite,strchr,fwrite,fputc,fflush,strlen,strchr,strcmp,strtoll,_errno,_errno,_errno,_errno,_errno,calloc,free,fclose,_errno,fwrite,DeviceIoControl,_errno,_errno,free,CloseHandle, |
0_2_00007FF73D406C50 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D404C30 |
0_2_00007FF73D404C30 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D406C50 |
0_2_00007FF73D406C50 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D402710 |
0_2_00007FF73D402710 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D4052A0 |
0_2_00007FF73D4052A0 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D3F511B |
0_2_00007FF73D3F511B |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D406750 |
0_2_00007FF73D406750 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D4047B0 |
0_2_00007FF73D4047B0 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D4029D0 |
0_2_00007FF73D4029D0 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: String function: 00007FF73D40C760 appears 47 times |
|
Source: awg.exe, 00000000.00000000.1747520957.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe |
Source: awg.exe |
Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe |
Source: classification engine |
Classification label: mal48.winEXE@2/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03 |
Source: awg.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\awg.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: awg.exe |
Virustotal: Detection: 12% |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: --help |
Source: awg.exe |
String found in binary or memory: --help |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: You may pass `--help' to any of these subcommands to view usage. |
Source: awg.exe |
String found in binary or memory: --help |
Source: awg.exe |
String found in binary or memory: --help |
Source: awg.exe |
String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump] |
Source: awg.exe |
String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump] |
Source: unknown |
Process created: C:\Users\user\Desktop\awg.exe "C:\Users\user\Desktop\awg.exe" |
Source: C:\Users\user\Desktop\awg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\awg.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\awg.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\awg.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: awg.exe |
Static PE information: certificate valid |
Source: awg.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: awg.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: awg.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: awg.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: awg.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: awg.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: awg.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: awg.exe |
Static PE information: section name: .00cfg |
Source: C:\Users\user\Desktop\awg.exe |
API coverage: 5.2 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D404C30 SetupDiGetClassDevsExW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,SetupDiEnumDeviceInfo,WideCharToMultiByte,malloc,WideCharToMultiByte,strlen,free,realloc,memcpy,_errno,free,SetupDiEnumDeviceInfo,GetLastError,calloc,free,SetupDiDestroyDeviceInfoList,FindFirstFileA,memcpy,FindNextFileA,memcmp,strlen,realloc,_errno,_errno,_errno,_errno,_errno,FindClose,_errno,_errno,_errno,free, |
0_2_00007FF73D404C30 |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D406500 FindFirstFileA,FindNextFileA,strcmp,FindNextFileA,FindClose,strcmp, |
0_2_00007FF73D406500 |
Source: awg.exe, 00000000.00000003.1748799407.000002B0ADB9D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll. |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\awg.exe |
Code function: 0_2_00007FF73D3F1160 Sleep,Sleep,_initterm,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_cexit, |
0_2_00007FF73D3F1160 |