Source: Yara match |
File source: amneziawg.exe, type: SAMPLE |
Source: Yara match |
File source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.3370356203.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.2118774849.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.2117248766.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.2125608494.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2118135735.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.2114585117.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3370357272.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000000.2120858143.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: amneziawg.exe PID: 2700, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: amneziawg.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: amneziawg.exe PID: 7156, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: amneziawg.exe PID: 3176, type: MEMORYSTR |
Source: C:\Users\user\Desktop\amneziawg.exe |
Directory created: C:\Program Files\AmneziaWG |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
Directory created: C:\Program Files\AmneziaWG\Data |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
Directory created: C:\Program Files\AmneziaWG\Data\log.bin |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
Directory created: C:\Program Files\AmneziaWG\Data\Configurations |
Jump to behavior |
Source: amneziawg.exe |
Static PE information: certificate valid |
Source: amneziawg.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: amneziawg.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: amneziawg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y |
Source: amneziawg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: amneziawg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z |
Source: amneziawg.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0 |
Source: amneziawg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0# |
Source: amneziawg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: amneziawg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0# |
Source: amneziawg.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0# |
Source: amneziawg.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: amneziawg.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: amneziawg.exe |
String found in binary or memory: https://amnezia.org/D |
Source: amneziawg.exe |
String found in binary or memory: https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetInt |
Source: amneziawg.exe, 00000000.00000002.2120077035.000000C0000E2000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://sectigo.com/CPS |
Source: amneziawg.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: amneziawg.exe, 00000000.00000002.2120077035.000000C0000E2000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://sectigo.com/CPS2.23.140.1.4.1 |
Source: amneziawg.exe, 00000000.00000002.2118135735.0000000000C72000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: FwpmEngineOpen0FwpmFreeMemory0handshakeZeroedGetModuleHandleclientCompositeSetActiveWindowwidget requiredCreatePopupMenuSysTabControl32ToolbarWindow32RegisterClassExExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileNotTrueTypeFontProfileNotFoundGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetMonitorInfoWGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExzipinsecurepathjstmpllitinterptarinsecurepathx509usepoliciesinvalid pointerWintunSetLoggeravx512vpopcntdq&Save to file |
memstr_8f1681dd-b |
Source: amneziawg.exe, type: SAMPLE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: amneziawg.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: classification engine |
Classification label: mal56.expl.winEXE@6/1@0/0 |
Source: C:\Users\user\Desktop\amneziawg.exe |
File created: C:\Program Files\AmneziaWG |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
File opened: C:\Windows\system32\eca7494d4e254c1e0b6e04506a7fd3f00de299ec8a858d9b22102932b4e93054AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
File opened: C:\Windows\system32\5919c4fa007950ff9fd565974fab4216e24214c0fbc7da20a4a904f9e5cd40f0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
File opened: C:\Windows\system32\54d556396c49db0a849f394780942514ba738478999859b49a72fe90147340d7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
File opened: C:\Windows\system32\c84f4d8d6396fed1d59d385764634dd02067f628821080447a8dc9cfdbd3e9e5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: amneziawg.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\amneziawg.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\amneziawg.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: amneziawg.exe |
String found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in goGetProcessMemoryInfobcryptprimitives.dllinvalid request codebad font file formatis a named type filekey has been revokedconnection timed outEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: bind is already openadding existing peerother UAPI error: %wextra data in bufferbitmap cannot be nilSetBrushOrgEx failedparent cannot be nilmin must be positiveInitCommonControlsExCommDlgExtendedErrorAddFontMemResourceExGetEnhMetaFileHeaderPropertyNotSupportedUnknown Status ValueFileTimeToSystemTimeSystemTimeToFileTimewglGetCurrentContextSHGetPathFromIDListWflate: closed writerhttplaxcontentlengthx509usefallbackrootsmissing IPv6 addressunexpected characterWintunGetAdapterLUIDexpression too largeinvalid repeat countAmneziaWG DeactivatedBind close failed: %vExport tunnels to zipInvalid endpoint hostKey must have a valuePersistent keepalive:Tunnel already existsUAPI: Updating fwmark/installtunnelserviceunsupported operationreflect.Value.Complex186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian Standard TimeMagadan Standard TimeMyanmar Standard TimeYakutsk Standard TimeBelarus Standard TimeRussian Standard TimeRomance Standard TimeSaratov Standard TimeNorfolk Standard Timetrace/breakpoint trapuser defined signal 1user defined signal 2CM_Get_DevNode_StatusAdjustTokenPrivilegesChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWLookupPrivilegeValueWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWReadDirectoryChangesWNetGetJoinInformationNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWSeLoadDriverPrivilegebad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintnegative shift amountconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic |