File name:	Windscribe_2.15.8_amd64.exe
Full analysis:	https://app.any.run/tasks/0933ffeb-c171-4f42-9663-7bf8ad79a574
Verdict:	Malicious activity
Analysis date:	June 18, 2025, 17:16:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	9959B706658CCE08FFEE69F1E1C7BE4C
SHA1:	46357859E814AD90E45B6C6D5AEA7D7ADC1FA1E0
SHA256:	7A92BE65624E341A86602FC5A59644CA01E8C8AF29BA8B39D7381AFDBD5DB387
SSDEEP:	196608:UTfUcl+KfYJrvjfbyTRaPsX+uVtVlId21fPNFS7rOcKVg1X262+xjTr/7WjoQ9eA:EsYIuT0EX+IflIdqdFOFKW1XMIn6EQ/

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	AMD AMD64
TimeStamp:	2025:05:16 16:33:49+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	388608
InitializedDataSize:	36915200
UninitializedDataSize:	-
EntryPoint:	0x345e4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.15.8.0
ProductVersionNumber:	2.15.8.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Windscribe Limited
FileDescription:	Windscribe Installer
FileVersion:	2.15.8
LegalCopyright:	Copyright (C) 2025 Windscribe Limited
OriginalFileName:	Windscribe.exe
ProductName:	Windscribe
ProductVersion:	2.15.8


(PID) Process:	(5400) devcon.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Windscribe\Installer
Operation:	write	Name:	ovpnDCODriverOEMIdentifier
Value: oem1.inf
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\Windscribe\
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	DisplayName
Value: Windscribe
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\Windscribe\Windscribe.exe
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\Windscribe\uninstall.exe"
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\Windscribe\uninstall.exe" /SILENT
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	DisplayVersion
Value: 2.15.8
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	Publisher
Value: Windscribe Limited
(PID) Process:	(5372) Windscribe_2.15.8.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fa690e90-ddb0-4f0c-b3f1-136c084e5fc7}_is1
Operation:	write	Name:	URLInfoAbout
Value: http://www.windscribe.com/

PID	Process	Filename		Type
5184	Windscribe_2.15.8_amd64.exe	C:\Windows\Temp\WindscribeInstaller11650\windscribeinstaller.7z		—
		MD5:—	SHA256:—
504	7zr.exe	C:\Windows\Temp\WindscribeInstaller11650\Windscribe_2.15.8.exe		—
		MD5:—	SHA256:—
5372	Windscribe_2.15.8.exe	C:\Windows\Temp\WindscribeInstaller11650\windscribe.7z		—
		MD5:—	SHA256:—
1380	7zr.exe	C:\Program Files\Windscribe\Windscribe.exe		—
		MD5:—	SHA256:—
1380	7zr.exe	C:\Program Files\Windscribe\openvpndco\win11\ovpn-dco.cat		cat
		MD5:8FD89F82A273CD3ED2F76F7F09CF30AE	SHA256:8C9456AEACD5566234519B5B34CEECD0F7EBB22F6813747E595F5945517EC438
1380	7zr.exe	C:\Program Files\Windscribe\openvpndco\win10\ovpn-dco.cat		cat
		MD5:5551203F3F1095335FF00421B16FD7E2	SHA256:26C54CE26CB43407855BA24D10FBB30A87E5A1A0A35536025A02CB003FE474F4
5184	Windscribe_2.15.8_amd64.exe	C:\Windows\Temp\WindscribeInstaller11650\7zr.exe		executable
		MD5:4492280AB3AB242F13DC365EBED6FA44	SHA256:3BFBDD19311D6741254344214D7F0601E8C16F3B17402B35E94AC2E60D9A66CC
1380	7zr.exe	C:\Program Files\Windscribe\openvpndco\win10\ovpn-dco.inf		ini
		MD5:77DA079A3665AFC84D05C3D07BCAA0D0	SHA256:1F6C35BC11D910F91C32EA54894D0FDDB0094876BDD526D04A9287D04D636242
1380	7zr.exe	C:\Program Files\Windscribe\open_source_licenses.txt		text
		MD5:2C64C599B69E560193FA213D439F9CC5	SHA256:CBD5401B6FBE6EC095732F25CE09FD522DB0F45D9D91C947457BB2BD12B78084
1380	7zr.exe	C:\Program Files\Windscribe\splittunnel\windscribesplittunnel.inf		ini
		MD5:CBBB5F17C53610C70913299CDE04D4C2	SHA256:07D52DB986C550B8EA72DC5CF1E035552C187AD9AD8ADC270AD682C05BC20D98

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	20.190.159.71:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
6172	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.71:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	40.126.31.129:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6172	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.3:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	23.9 Kb	whitelisted
4808	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6172	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
—	—	40.126.31.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
436	svchost.exe	40.126.31.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2336	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
google.com	142.250.186.46	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	40.126.31.2 20.190.159.73 40.126.31.73 20.190.159.129 40.126.31.130 20.190.159.64 40.126.31.67 40.126.31.129 20.190.159.75 20.190.159.23 40.126.31.69 20.190.159.4 20.190.159.130 20.190.159.0	whitelisted
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.23.246.101 95.101.149.131	whitelisted
nexusrules.officeapps.live.com	52.111.227.14	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Process	Message
Windscribe_2.15.8_amd64.exe	Windscribe bootstrapper installing to C:\WINDOWS\Temp\WindscribeInstaller11650
Windscribe_2.15.8_amd64.exe	Extracting resource: 7zr.exe
Windscribe_2.15.8_amd64.exe	Extracting resource: windscribeinstaller.7z
Windscribe_2.15.8_amd64.exe	executeCmd: "C:\WINDOWS\Temp\WindscribeInstaller11650\7zr.exe" x -y -bb3 -bd -o"C:\WINDOWS\Temp\WindscribeInstaller11650" "C:\WINDOWS\Temp\WindscribeInstaller11650\windscribeinstaller.7z"
Windscribe_2.15.8_amd64.exe	Extracting files from windscribeinstaller.7z
Windscribe_2.15.8_amd64.exe	executeCmd output: 7-Zip (r) 24.08 (x86) : Igor Pavlov : Public domain : 2024-08-11 Scanning the drive for archives: 1 file, 35859461 bytes (35 MiB) Extracting archive: C:\WINDOWS\Temp\WindscribeInstaller11650\windscribeinstaller.7z -- Path = C:\WINDOWS\Temp\WindscribeInstaller11650\windscribeinstaller.7z Type = 7z Physical Size = 35859461 Headers Size = 162 Method = LZMA2:24 BCJ Solid = - Blocks = 1 - Windscribe_2.15.8.exe Everything is Ok Size: 49880168 Compressed: 35859461
Windscribe_2.15.8.exe	{"tm": "2025-06-18 17:16:41.013", "lvl": "info", "mod": "installer", "msg": "System language: en"}
Windscribe_2.15.8.exe	{"tm": "2025-06-18 17:16:41.013", "lvl": "info", "mod": "installer", "msg": "Using language: en"}
Windscribe_2.15.8.exe	{"tm": "2025-06-18 17:16:41.008", "lvl": "info", "mod": "installer", "msg": "Command-line args: \"Windscribe_2.15.8.exe\" "}
Windscribe_2.15.8.exe	{"tm": "2025-06-18 17:16:41.006", "lvl": "info", "mod": "installer", "msg": "Installing Windscribe version 2.15.8"}

General Info

Windscribe_2.15.8_amd64.exe

9959B706658CCE08FFEE69F1E1C7BE4C

46357859E814AD90E45B6C6D5AEA7D7ADC1FA1E0

7A92BE65624E341A86602FC5A59644CA01E8C8AF29BA8B39D7381AFDBD5DB387

196608:UTfUcl+KfYJrvjfbyTRaPsX+uVtVlId21fPNFS7rOcKVg1X262+xjTr/7WjoQ9eA:EsYIuT0EX+IflIdqdFOFKW1XMIn6EQ/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Application launched itself

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

Uses TASKKILL.EXE to kill process

Searches for installed software

Process drops legitimate windows executable

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates a software uninstall entry

INFO

Reads the computer name

The sample compiled with english language support

Process checks computer location settings

Checks supported languages

Creates files in the program directory

Create files in a temporary directory

Reads the software policy settings

Reads the machine GUID from the registry

Disables trace logs

Checks proxy server information

Manual execution by a user

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings