Windows Analysis Report
amneziawg.exe

Overview

General Information

Sample name: amneziawg.exe
Analysis ID: 1532546
MD5: 9c3859eba6a53e9df1d885c8147337bd
SHA1: 2adb6cc21f9973f1aa7a083fe86c4b88a9a5f58c
SHA256: ba23f928c64cca759bbf6f1f8318300ea384662f8b0c40bf22eb059beefc37af
Tags: exeuser-Bacn
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
Creates a process in suspended mode (likely to inject code)
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: amneziawg.exe, type: SAMPLE
Source: Yara match File source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3370356203.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2118774849.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.2117248766.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2125608494.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118135735.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2114585117.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3370357272.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2120858143.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 2700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: amneziawg.exe PID: 3176, type: MEMORYSTR
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\log.bin Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\Configurations Jump to behavior
Source: amneziawg.exe Static PE information: certificate valid
Source: amneziawg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: amneziawg.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: amneziawg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: amneziawg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: amneziawg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: amneziawg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: amneziawg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: amneziawg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: amneziawg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: amneziawg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: amneziawg.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: amneziawg.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: amneziawg.exe String found in binary or memory: https://amnezia.org/D
Source: amneziawg.exe String found in binary or memory: https://amnezia.org/wireguard-log-%s.txtTaskbarButtonCreatedreflect.Value.IsZeroreflect.Value.SetInt
Source: amneziawg.exe, 00000000.00000002.2120077035.000000C0000E2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS
Source: amneziawg.exe String found in binary or memory: https://sectigo.com/CPS0
Source: amneziawg.exe, 00000000.00000002.2120077035.000000C0000E2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS2.23.140.1.4.1
Installs a raw input device (often for capturing keystrokes)
Source: amneziawg.exe, 00000000.00000002.2118135735.0000000000C72000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FwpmEngineOpen0FwpmFreeMemory0handshakeZeroedGetModuleHandleclientCompositeSetActiveWindowwidget requiredCreatePopupMenuSysTabControl32ToolbarWindow32RegisterClassExExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileNotTrueTypeFontProfileNotFoundGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetMonitorInfoWGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExzipinsecurepathjstmpllitinterptarinsecurepathx509usepoliciesinvalid pointerWintunSetLoggeravx512vpopcntdq&Save to file memstr_8f1681dd-b

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amneziawg.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Yara signature match
Source: amneziawg.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.0.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.amneziawg.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal56.expl.winEXE@6/1@0/0
Source: C:\Users\user\Desktop\amneziawg.exe File created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe File opened: C:\Windows\system32\eca7494d4e254c1e0b6e04506a7fd3f00de299ec8a858d9b22102932b4e93054AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe File opened: C:\Windows\system32\5919c4fa007950ff9fd565974fab4216e24214c0fbc7da20a4a904f9e5cd40f0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe File opened: C:\Windows\system32\54d556396c49db0a849f394780942514ba738478999859b49a72fe90147340d7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe File opened: C:\Windows\system32\c84f4d8d6396fed1d59d385764634dd02067f628821080447a8dc9cfdbd3e9e5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: amneziawg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\amneziawg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: amneziawg.exe String found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in goGetProcessMemoryInfobcryptprimitives.dllinvalid request codebad font file formatis a named type filekey has been revokedconnection timed outEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: bind is already openadding existing peerother UAPI error: %wextra data in bufferbitmap cannot be nilSetBrushOrgEx failedparent cannot be nilmin must be positiveInitCommonControlsExCommDlgExtendedErrorAddFontMemResourceExGetEnhMetaFileHeaderPropertyNotSupportedUnknown Status ValueFileTimeToSystemTimeSystemTimeToFileTimewglGetCurrentContextSHGetPathFromIDListWflate: closed writerhttplaxcontentlengthx509usefallbackrootsmissing IPv6 addressunexpected characterWintunGetAdapterLUIDexpression too largeinvalid repeat countAmneziaWG DeactivatedBind close failed: %vExport tunnels to zipInvalid endpoint hostKey must have a valuePersistent keepalive:Tunnel already existsUAPI: Updating fwmark/installtunnelserviceunsupported operationreflect.Value.Complex186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian Standard TimeMagadan Standard TimeMyanmar Standard TimeYakutsk Standard TimeBelarus Standard TimeRussian Standard TimeRomance Standard TimeSaratov Standard TimeNorfolk Standard Timetrace/breakpoint trapuser defined signal 1user defined signal 2CM_Get_DevNode_StatusAdjustTokenPrivilegesChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWLookupPrivilegeValueWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWReadDirectoryChangesWNetGetJoinInformationNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWSeLoadDriverPrivilegebad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintnegative shift amountconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionNetUserGetLocalGroupsGetProfilesDirectoryWlink has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleAnatolian_HieroglyphsInscriptional_Pahlavilocalhost.localdomaininitPacketMagicHeaderFwpmTransactionAbort0FwpmTrans
Source: amneziawg.exe String found in binary or memory: Interface up requested[EnumerationSeparator]/installmanagerservicereflectlite.Value.Type0123456789aAbBcCdDeEfFexpected quoted string4656612873077392578125Sao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard TimeTasmania Standard TimeDateline Standard TimeHawaiian Standard TimeConvertSidToStringSidWConvertStringSidToSidWEnumDependentServicesWCreateIoCompletionPortGetEnvironmentStringsWGetTimeZoneInformationWaitForMultipleObjectsNtSetSystemInformationRtlDeleteFunctionTableRtlGetNtVersionNumbersSetupDiEnumDriverInfoWSetupDiGetClassDevsExWCreateEnvironmentBlockWSAGetOverlappedResultWSALookupServiceBeginWAMNEZIAWG_TUNNEL_NAME=Session has logged outreflectlite.Value.Elemunexpected method stepreflect.Value.MapIndexreflect.Value.SetFloatinteger divide by zeroCountPagesInUse (test)ReadMetricsSlow (test)trace reader (blocked)trace goroutine statussend on closed channelcall not at safe pointgetenv before env initinterface conversion: freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type non-Go function at pc=RtlLookupFunctionEntryargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedInscriptional_ParthianNyiakeng_Puachue_Hmong%SystemRoot%\system32\.localhost.localdomainmissing ']' in addressinvalid address familyoperation was canceledresponsePacketJunkSizeFwpmTransactionCommit0CancelMibChangeNotify2invalid message lengthslice length too largeunsupported image typebuffered BitBlt failedCreateWindowEx(BUTTON)SetMenuItemInfo failedPlayEnhMetaFile failedcreating static failedWireGuard UI - TabPageCreateCompatibleBitmapwglRealizeLayerPaletteGetSystemMetricsForDpiRegisterWindowMessageWzip: file closed twicecatmsg: illegal varintunexpected length codeIPv4 address too shortmultiple :: in addressskipping Question Nameskipping Question TypeWintunGetReadWaitEventerror parsing regexp: Error Exiting WireGuardUnable to create tunnelUnable to delete tunnel/uninstalltunnelservicereflectlite.Value.IsNil<invalid reflect.Value>0123456789aAbBcCdDeEfF_23283064365386962890625E. Africa Standard TimeTocantins Standard TimeArgentina Standard TimeVenezuela Standard TimeGreenland Standard TimeSri Lanka Standard TimeWest Bank Standard TimeQyzylorda Standard TimeSingapore Standard TimeWest Asia Standard TimeGreenwich Standard TimeLord Howe Standard TimeAstrakhan Standard TimeW. Europe Standard TimeE. Europe Standard TimeVolgograd Standard TimeMauritius Standard TimeMarquesas Standard Time" no
Source: amneziawg.exe String found in binary or memory: " not supported for cpu option "unexpected character, want colonchacha20: invalid buffer overlap%v - Failed to derive keypair: %v%v - Sending handshake initiation%v - UAPI: Updating preshared keyFailed to create cookie reply: %vFailed to decode response messageInvalid key for interface sectionReceived packet with invalid mac1Receiving cookie response from %sThe %s tunnel has been activated.UAPI: Using default response typeno configuration files were found/installtunnelservice CONFIG_PATH142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWSCGQUUSGSCOMPRKCYMSPMSRBATFMYTATNbytes.Buffer.Grow: negative countreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeskip everything and stop the walktoo many levels of symbolic linkswaiting for unsupported file typego package net: confVal.netCgo = Data directory is actually a filepersistent_keepalive_interval=%d
Source: amneziawg.exe String found in binary or memory: " not supported for cpu option "unexpected character, want colonchacha20: invalid buffer overlap%v - Failed to derive keypair: %v%v - Sending handshake initiation%v - UAPI: Updating preshared keyFailed to create cookie reply: %vFailed to decode response messageInvalid key for interface sectionReceived packet with invalid mac1Receiving cookie response from %sThe %s tunnel has been activated.UAPI: Using default response typeno configuration files were found/installtunnelservice CONFIG_PATH142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWSCGQUUSGSCOMPRKCYMSPMSRBATFMYTATNbytes.Buffer.Grow: negative countreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeskip everything and stop the walktoo many levels of symbolic linkswaiting for unsupported file typego package net: confVal.netCgo = Data directory is actually a filepersistent_keepalive_interval=%d
Source: amneziawg.exe String found in binary or memory: " not supported for cpu option "unexpected character, want colonchacha20: invalid buffer overlap%v - Failed to derive keypair: %v%v - Sending handshake initiation%v - UAPI: Updating preshared keyFailed to create cookie reply: %vFailed to decode response messageInvalid key for interface sectionReceived packet with invalid mac1Receiving cookie response from %sThe %s tunnel has been activated.UAPI: Using default response typeno configuration files were found/installtunnelservice CONFIG_PATH142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWSCGQUUSGSCOMPRKCYMSPMSRBATFMYTATNbytes.Buffer.Grow: negative countreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangeskip everything and stop the walktoo many levels of symbolic linkswaiting for unsupported file typego package net: confVal.netCgo = Data directory is actually a filepersistent_keepalive_interval=%d
Source: amneziawg.exe String found in binary or memory: Permit inbound on loopback (IPv4)Permit inbound on loopback (IPv6)Error converting luid to guid: %wUnable to create Wintun interfacehex string does not fit the slicewidget must be child of containerSendMessage(TCM_SETCURSEL) failedfailed to create clipboard windowFailed to get comctl32.dll handlecatmsg: no translation for inputsleafCounts[maxBits][maxBits] != nGODEBUG: no value specified for "too many Answers to pack (>65535)encoding: missing byte order markRegistered I/O is unavailable: %vGODEBUG sys/cpu: can not enable "regexp: unhandled case in compile%v - Received handshake initiation%v - UAPI: Removing all allowedipsReceived message with unknown typeUAPI: Using default transport typeUAPI: Using default underload typeUnable to create new configurationUnable to import configuration: %vfailed to restrict dll search path3552713678800500929355621337890625: day-of-year does not match monthCM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModesbytes: Join output length overflowreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangereflect.Value.Grow: slice overflowslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timertoo many references: cannot spliceunexpected runtime.netpoll error: Permit inbound IPv4 traffic on TUNPermit inbound IPv6 traffic on TUNPermit outbound on loopback (IPv4)Permit outbound on loopback (IPv6)Unable to set device configurationtrailing character in UAPI get: %qname too long (%d bytes): %.20q...SendMessage(TCM_INSERTITEM) failedGetPhysicallyInstalledSystemMemoryillegal base64 data at input byte NoDefaultCurrentDirectoryInExePathGODEBUG sys/cpu: can not disable "invalid nested repetition operatorinvalid or unsupported Perl syntaxchacha20: wrong HChaCha20 key sizeFailed to decode initiation messageInvalid key for [Interface] sectionThe %s tunnel has been deactivated.UAPI: Updating junk_packet_max_sizeUAPI: Updating junk_packet_min_size/uninstalltunnelservice TUNNEL_NAMEunsigned integer overflow on token 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 92006-01-02T15:04:05.999999999Z07:00non-positive interval for NewTickerSubscribeServiceChangeNotificationsParseAcceptLanguage: invalid weightreflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queue
Source: amneziawg.exe String found in binary or memory: Permit inbound on loopback (IPv4)Permit inbound on loopback (IPv6)Error converting luid to guid: %wUnable to create Wintun interfacehex string does not fit the slicewidget must be child of containerSendMessage(TCM_SETCURSEL) failedfailed to create clipboard windowFailed to get comctl32.dll handlecatmsg: no translation for inputsleafCounts[maxBits][maxBits] != nGODEBUG: no value specified for "too many Answers to pack (>65535)encoding: missing byte order markRegistered I/O is unavailable: %vGODEBUG sys/cpu: can not enable "regexp: unhandled case in compile%v - Received handshake initiation%v - UAPI: Removing all allowedipsReceived message with unknown typeUAPI: Using default transport typeUAPI: Using default underload typeUnable to create new configurationUnable to import configuration: %vfailed to restrict dll search path3552713678800500929355621337890625: day-of-year does not match monthCM_Get_Device_Interface_List_SizeWSetFileCompletionNotificationModesbytes: Join output length overflowreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangereflect.Value.Grow: slice overflowslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timertoo many references: cannot spliceunexpected runtime.netpoll error: Permit inbound IPv4 traffic on TUNPermit inbound IPv6 traffic on TUNPermit outbound on loopback (IPv4)Permit outbound on loopback (IPv6)Unable to set device configurationtrailing character in UAPI get: %qname too long (%d bytes): %.20q...SendMessage(TCM_INSERTITEM) failedGetPhysicallyInstalledSystemMemoryillegal base64 data at input byte NoDefaultCurrentDirectoryInExePathGODEBUG sys/cpu: can not disable "invalid nested repetition operatorinvalid or unsupported Perl syntaxchacha20: wrong HChaCha20 key sizeFailed to decode initiation messageInvalid key for [Interface] sectionThe %s tunnel has been deactivated.UAPI: Updating junk_packet_max_sizeUAPI: Updating junk_packet_min_size/uninstalltunnelservice TUNNEL_NAMEunsigned integer overflow on token 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 92006-01-02T15:04:05.999999999Z07:00non-positive interval for NewTickerSubscribeServiceChangeNotificationsParseAcceptLanguage: invalid weightreflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queue
Source: amneziawg.exe String found in binary or memory: net/addrselect.go
Source: amneziawg.exe String found in binary or memory: github.com/amnezia-vpn/amneziawg-go@v0.2.8/device/noise-helpers.go
Source: amneziawg.exe String found in binary or memory: github.com/amnezia-vpn/amneziawg-windows@v0.1.4-0.20240526104134-db18f2297e5e/tunnel/addressconfig.go
Source: amneziawg.exe String found in binary or memory: github.com/amnezia-vpn/amneziawg-windows-client/elevate/loader.go
Source: amneziawg.exe String found in binary or memory: github.com/amnezia-vpn/amneziawg-windows-client/manager/install.go
Source: amneziawg.exe String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: amneziawg.exe String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: C:\Users\user\Desktop\amneziawg.exe File read: C:\Users\user\Desktop\amneziawg.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\amneziawg.exe "C:\Users\user\Desktop\amneziawg.exe"
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe "C:\Users\user\Desktop\amneziawg.exe" /installmanagerservice
Source: unknown Process created: C:\Users\user\Desktop\amneziawg.exe C:\Users\user\Desktop\amneziawg.exe /managerservice
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe C:\Users\user\Desktop\amneziawg.exe /ui 764 760 772 780
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe "C:\Users\user\Desktop\amneziawg.exe" /installmanagerservice Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe C:\Users\user\Desktop\amneziawg.exe /ui 764 760 772 780 Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Window found: window name: SysTabControl32 Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Window detected: Number of UI elements: 15
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\log.bin Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Directory created: C:\Program Files\AmneziaWG\Data\Configurations Jump to behavior
Source: amneziawg.exe Static PE information: certificate valid
Source: amneziawg.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: amneziawg.exe Static file information: File size 8231576 > 1048576
Source: amneziawg.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2f0200
Source: amneziawg.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x3b2400
Source: amneziawg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: amneziawg.exe Static PE information: section name: .xdata
Source: amneziawg.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: amneziawg.exe, 00000004.00000002.3374666441.00000278C1D4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??]
Source: amneziawg.exe, 00000000.00000002.2121805539.000001E310258000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000001.00000002.2130844942.000001DE3141E000.00000004.00000020.00020000.00000000.sdmp, amneziawg.exe, 00000002.00000002.3374324008.0000022A76328000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\amneziawg.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe "C:\Users\user\Desktop\amneziawg.exe" /installmanagerservice Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Process created: C:\Users\user\Desktop\amneziawg.exe C:\Users\user\Desktop\amneziawg.exe /ui 764 760 772 780 Jump to behavior
Source: amneziawg.exe Binary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriodbad restart PC-thread limit
Source: amneziawg.exe Binary or memory string: %sinvalid styleSetWindowLongeffect == nilShell_TrayWndDestroyWindowSysListView32SelectedCountGetWindowLongLVM_SETCOLUMNGetWindowRectGetClientRectImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWRtlMoveMemoryOleInitializeSysFreeStringwglShareListsPdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWRoundingMode(gocacheverifyinstallgoroothtml/templatetlsmaxrsasizeinvalid port name too longcq is corruptnot availableinvalid UTF-8Device closingPreshared key:listen_port=%dunexpected EOFComputerNameExinvalid syntax1907348632812595367431640625: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in Executing: %#qAdministrators/tunnelservice on zero Valueunknown methodunsafe.PointeruserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= key size wrongnil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod
Source: amneziawg.exe, 00000004.00000002.3371139511.000000C00009C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Ctrl+NC:\Windows\system32\shell32.dllC:\Windows\system32\shell32.dllShell_TrayWnd&Import tunnel(s) from file
Source: amneziawg.exe, 00000004.00000002.3371139511.000000C00009C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Status: UnknownShell_TrayWndStatus: UnknownShell_TrayWndListen port:DNS servers:Import tunnel(s) from fileListen port:DNS servers:Listen port:DNS servers:Import tunnel(s) from file
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Queries volume information: C:\Program Files\AmneziaWG\Data\Configurations VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\amneziawg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532546 Sample: amneziawg.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 56 14 Malicious sample detected (through community Yara rule) 2->14 16 Yara detected UAC Bypass using CMSTP 2->16 6 amneziawg.exe 4 2->6         started        8 amneziawg.exe 1 2->8         started        process3 process4 10 amneziawg.exe 6->10         started        12 amneziawg.exe 8->12         started       
No contacted IP infos