analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windscribe_2.0_beta.exe

Full analysis: https://app.any.run/tasks/1a8f62e2-0018-44ae-ba73-ac2ce3d65978
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 19:20:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7218CDF313B7FD0B84F83E7A2ABD67C8

SHA1:

4548F29430E44FA03E7DEE4619D8DCD56E0A7B96

SHA256:

A800DEE98F1F3753175D5DD4FE197CE8C180A29E8051E4590F9DB953C4E360DF

SSDEEP:

196608:NEzAr9+pBAVVj3nI4dyL/v7EgS8CxB/Yn6goNr0pSwuMN/2k9+23JeMK:N6yo8VfkP3hCxmn6gK0ruMx9hPK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tapinstall.exe (PID: 2192)
      • subinacl.exe (PID: 3696)
      • tapinstall.exe (PID: 1844)
      • windscribeopenvpn_2_5_0.exe (PID: 2612)
      • WindscribeLauncher.exe (PID: 780)
      • windscribeopenvpn_2_4_8.exe (PID: 3088)
      • WindscribeEngine.exe (PID: 3912)
      • WindscribeService.exe (PID: 3092)
      • Windscribe.exe (PID: 3056)
      • eLectaRecorder.exe (PID: 1516)
      • windscribeopenvpn_2_4_8.exe (PID: 3640)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 3072)

    • Changes the autorun value in the registry

      • Windscribe_2.0_beta.exe (PID: 3316)

    • Loads dropped or rewritten executable

      • windscribeopenvpn_2_4_8.exe (PID: 3088)
      • WindscribeEngine.exe (PID: 3912)
      • Windscribe.exe (PID: 3056)
      • windscribeopenvpn_2_5_0.exe (PID: 2612)
      • WindscribeLauncher.exe (PID: 780)
      • eLectaRecorder.exe (PID: 1516)
      • explorer.exe (PID: 372)
      • iexplore.exe (PID: 2340)
      • iexplore.exe (PID: 3808)
      • windscribeopenvpn_2_4_8.exe (PID: 3640)
      • WerFault.exe (PID: 2160)
      • chrome.exe (PID: 2664)
      • vlc.exe (PID: 2776)
      • chrome.exe (PID: 2748)

    • Changes settings of System certificates

      • tapinstall.exe (PID: 2192)

    • Writes to the hosts file

      • WindscribeService.exe (PID: 3092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tapinstall.exe (PID: 2192)
      • Windscribe_2.0_beta.exe (PID: 3316)
      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 1688)
      • DrvInst.exe (PID: 3516)
      • tapinstall.exe (PID: 1844)
      • DrvInst.exe (PID: 2084)
      • msiexec.exe (PID: 3108)

    • Creates or modifies windows services

      • Windscribe_2.0_beta.exe (PID: 3316)

    • Executed via COM

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 1688)
      • DrvInst.exe (PID: 3516)
      • DllHost.exe (PID: 4020)
      • DrvInst.exe (PID: 2084)

    • Starts SC.EXE for service management

      • Windscribe_2.0_beta.exe (PID: 3316)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 1688)
      • DrvInst.exe (PID: 3516)
      • DrvInst.exe (PID: 2084)
      • Windscribe_2.0_beta.exe (PID: 3316)
      • WindscribeService.exe (PID: 3092)

    • Creates files in the program directory

      • Windscribe_2.0_beta.exe (PID: 3316)
      • WindscribeService.exe (PID: 3092)
      • WerFault.exe (PID: 2160)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 3516)

    • Executed as Windows Service

      • vssvc.exe (PID: 3888)
      • WindscribeService.exe (PID: 3092)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 1688)
      • DrvInst.exe (PID: 3516)
      • Windscribe_2.0_beta.exe (PID: 3316)
      • DrvInst.exe (PID: 2084)
      • WindscribeService.exe (PID: 3092)
      • WerFault.exe (PID: 2160)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 1688)
      • DrvInst.exe (PID: 3516)
      • DrvInst.exe (PID: 2084)
      • Windscribe_2.0_beta.exe (PID: 3316)
      • WerFault.exe (PID: 2160)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3360)

    • Starts Microsoft Installer

      • chrome.exe (PID: 3360)

    • Creates a software uninstall entry

      • Windscribe_2.0_beta.exe (PID: 3316)

    • Starts Internet Explorer

      • Windscribe.exe (PID: 3056)

    • Uses TASKKILL.EXE to kill process

      • WindscribeService.exe (PID: 3092)

    • Adds / modifies Windows certificates

      • tapinstall.exe (PID: 2192)

    • Uses WMIC.EXE to obtain a system information

      • WindscribeService.exe (PID: 3092)

    • Creates files in the user directory

      • WindscribeEngine.exe (PID: 3912)
      • explorer.exe (PID: 372)
      • vlc.exe (PID: 2776)

  • INFO

    • Reads settings of System Certificates

      • tapinstall.exe (PID: 2192)
      • chrome.exe (PID: 3360)
      • Windscribe.exe (PID: 3056)
      • iexplore.exe (PID: 2340)
      • chrome.exe (PID: 664)

    • Manual execution by user

      • chrome.exe (PID: 3360)
      • WindscribeLauncher.exe (PID: 780)
      • eLectaRecorder.exe (PID: 1516)

    • Reads the hosts file

      • chrome.exe (PID: 3072)
      • chrome.exe (PID: 3360)
      • WindscribeEngine.exe (PID: 3912)
      • WindscribeService.exe (PID: 3092)
      • chrome.exe (PID: 2664)
      • chrome.exe (PID: 664)

    • Application launched itself

      • chrome.exe (PID: 3360)
      • iexplore.exe (PID: 3808)
      • chrome.exe (PID: 2664)

    • Searches for installed software

      • DrvInst.exe (PID: 564)
      • DrvInst.exe (PID: 3516)
      • msiexec.exe (PID: 3108)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3360)
      • iexplore.exe (PID: 3808)
      • iexplore.exe (PID: 2340)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3888)

    • Changes internet zones settings

      • iexplore.exe (PID: 3808)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3108)

    • Creates files in the program directory

      • msiexec.exe (PID: 3108)

    • Creates files in the user directory

      • iexplore.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 2.0.0.14
ProductName: Windscribe
OriginalFileName: Windscribe.exe
LegalCopyright: Copyright (C) 2019 Windscribe Limited
FileVersion: 2.0.0.14
FileDescription: Windscribe Installer
CompanyName: Windscribe Limited
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.0.0.14
FileVersionNumber: 2.0.0.14
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x23b4b
UninitializedDataSize: -
InitializedDataSize: 13909504
CodeSize: 381952
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2020:02:21 00:53:26+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Feb-2020 23:53:26
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Work\client-desktop-installer\installer-release\installer.pdb
CompanyName: Windscribe Limited
FileDescription: Windscribe Installer
FileVersion: 2.0.0.14
LegalCopyright: Copyright (C) 2019 Windscribe Limited
OriginalFilename: Windscribe.exe
ProductName: Windscribe
ProductVersion: 2.0.0.14

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Feb-2020 23:53:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0005D22D
0x0005D400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70906
.rdata
0x0005F000
0x0001A084
0x0001A200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.59618
.data
0x0007A000
0x000059C0
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.4877
.rsrc
0x00080000
0x00D1F428
0x00D1F600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98994
.reloc
0x00DA0000
0x00004A14
0x00004C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.61054

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.02293
559
UNKNOWN
English - United States
RT_MANIFEST
2
3.64946
67624
UNKNOWN
English - United States
RT_ICON
3
3.87618
16936
UNKNOWN
English - United States
RT_ICON
4
4.12656
9640
UNKNOWN
English - United States
RT_ICON
5
4.52198
4264
UNKNOWN
English - United States
RT_ICON
6
4.98123
1128
UNKNOWN
English - United States
RT_ICON
34465
2.79908
90
UNKNOWN
English - United States
RT_GROUP_ICON
34466
5.8429
107988
UNKNOWN
English - United States
BINARY
34467
5.86023
107732
UNKNOWN
English - United States
BINARY
BADGE_ICON
4.9052
1904
UNKNOWN
English - United States
RT_RCDATA

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
UxTheme.dll
dwmapi.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
81
Malicious processes
15
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start windscribe_2.0_beta.exe no specs windscribe_2.0_beta.exe sc.exe no specs sc.exe no specs subinacl.exe no specs tapinstall.exe drvinst.exe rundll32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs vssvc.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs drvinst.exe tapinstall.exe drvinst.exe rundll32.exe no specs chrome.exe no specs Shell Security Editor no specs drvinst.exe msiexec.exe no specs runonce.exe no specs grpconv.exe no specs msiexec.exe windscribelauncher.exe no specs windscribe.exe windscribeengine.exe windscribeopenvpn_2_4_8.exe no specs windscribeopenvpn_2_5_0.exe no specs windscribeservice.exe taskkill.exe no specs taskkill.exe no specs iexplore.exe no specs iexplore.exe electarecorder.exe no specs explorer.exe no specs wmic.exe no specs windscribeopenvpn_2_4_8.exe werfault.exe no specs vlc.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3176"C:\Users\admin\Desktop\Windscribe_2.0_beta.exe" C:\Users\admin\Desktop\Windscribe_2.0_beta.exeexplorer.exe
User:
admin
Company:
Windscribe Limited
Integrity Level:
MEDIUM
Description:
Windscribe Installer
Exit code:
3221226540
Version:
2.0.0.14
3316"C:\Users\admin\Desktop\Windscribe_2.0_beta.exe" C:\Users\admin\Desktop\Windscribe_2.0_beta.exe
explorer.exe
User:
admin
Company:
Windscribe Limited
Integrity Level:
HIGH
Description:
Windscribe Installer
Exit code:
0
Version:
2.0.0.14
3016"sc" create WindscribeService binPath= "C:\Program Files\Windscribe\WindscribeService.exe" start= autoC:\Windows\system32\sc.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1692"sc" description WindscribeService "Manages the firewall and controls the VPN tunnel"C:\Windows\system32\sc.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3696"C:\Program Files\Windscribe\subinacl" /SERVICE WindscribeService /grant=S-1-5-11=STOC:\Program Files\Windscribe\subinacl.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
SubInAcl
Exit code:
0
Version:
5.2.3790.1180
2192"C:\Program Files\Windscribe\tap\tapinstall.exe" install OemVista.inf tapwindscribe0901C:\Program Files\Windscribe\tap\tapinstall.exe
Windscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 (win7_wdk.100208-1538)
564DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{6868ca97-c35a-0404-674f-313d05cbd47e}\oemvista.inf" "0" "60e41e9d3" "00000554" "WinSta0\Default" "00000558" "208" "c:\program files\windscribe\tap"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4048rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{61b2311f-2a23-7186-9e1b-ba287108817e} Global\{7860f1fd-c6b4-61ee-2f30-8625b22c1128} C:\Windows\System32\DriverStore\Temp\{6705612f-d52e-7caa-f88a-d05ac603ba49}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{6705612f-d52e-7caa-f88a-d05ac603ba49}\tapwindscribe0901.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3360"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d36a9d0,0x6d36a9e0,0x6d36a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
15 011
Read events
11 247
Write events
0
Delete events
0

Modification events

No data
Executable files
93
Suspicious files
100
Text files
627
Unknown types
52

Dropped files

PID
Process
Filename
Type
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\splittunnel\windscribesplittunnel.catcat
MD5:C35C54EFC45CEEE76769A7B1C57E8C8D
SHA256:D82D125F5C87DEEC263B1939463CB78BBEB7F6EE65E8A5B7E9C52B6F5EA5875A
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\wintun\wintun.catcat
MD5:12FAFC9E9A774157ED17451900E91271
SHA256:82201C358D0C8F096409E76247CEC36B37EA52844C2A96A873FE552105E52DDE
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\wintun\wintun.infbinary
MD5:751C58EF5E9FC2F95657C69EEF9CAD66
SHA256:0D027B050922E0D8A098020074FFEEFF8B487A2C93608D756487FA9200097BF0
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\splittunnel\WindscribeSplitTunnel.infini
MD5:7AB8650946B8174A9088429E4D6D4808
SHA256:8A930E956D582FD6096994771F54D2846ED6B0ACE8C0CB1B33B280BD1E223B75
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\tap\OemVista.infbinary
MD5:B830F755018F844DE3BA42EAE5150F6E
SHA256:145AF2483D5322AFF169A91D6EBBB4E504CDE5DFB846C960D051A98596B237EF
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:1F6A4F144E52A23767CC74FE2F796FF0
SHA256:634924290057AE9C0E4599D2C70656916BE24BD594AB1904C0BE7A8EA91DDC7C
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:2A3DA8E1CD09ACA0FC13BE43848C7695
SHA256:C3F671D3B41FFFA444A33F79C0E65DF7CA01E56598E4B2F90E7AF18C77B97652
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-console-l1-2-0.dllexecutable
MD5:9B630E1445F1E687284077EECD999B03
SHA256:EFD664C9F87B370A530CEA5FCAEC3D248F5C9D79E749862B3EB63448292AB20F
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-processenvironment-l1-1-0.dllexecutable
MD5:114A2B70FDCF21357F3070DC0C070B3C
SHA256:D91F680B1F54DCCEDDD9EAD63DC08EE11845803F2CC6DE7C545335803016F2D0
3316Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-string-l1-1-0.dllexecutable
MD5:7DD35C4BE2EC4D74946177698990B1BB
SHA256:AE67D1BDA3D9C10560819E9E02BA475AEB3F7DF7E8F73586D546F44BA6EF8046
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
190
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEF6v9x%2BT7vVdbD6kKgKpu%2Fc%3D
US
der
471 b
whitelisted
664
chrome.exe
GET
301
104.20.151.33:80
http://c.statcounter.com/3541212/0/872cdcc5/1/
US
whitelisted
2340
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2340
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2340
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3072
chrome.exe
GET
200
173.194.139.6:80
http://r1---sn-aigzrn7k.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.217.117.157&mm=28&mn=sn-aigzrn7k&ms=nvh&mt=1582312812&mv=m&mvi=0&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
3072
chrome.exe
GET
200
23.101.151.240:80
http://www.screenrecordings.com/downloads/eLectaScreenRecorder.msi
US
executable
15.0 Mb
suspicious
2340
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3072
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
511 b
whitelisted
3072
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
516 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3072
chrome.exe
172.217.16.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3072
chrome.exe
216.58.205.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3072
chrome.exe
172.217.16.142:443
ogs.google.com
Google Inc.
US
whitelisted
3072
chrome.exe
172.217.22.3:443
www.google.com.ua
Google Inc.
US
whitelisted
3072
chrome.exe
23.101.151.240:80
www.screenrecordings.com
Microsoft Corporation
US
suspicious
3072
chrome.exe
172.217.23.141:443
accounts.google.com
Google Inc.
US
whitelisted
3072
chrome.exe
216.58.206.14:443
apis.google.com
Google Inc.
US
whitelisted
3072
chrome.exe
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
3072
chrome.exe
172.217.23.99:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3072
chrome.exe
172.217.23.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.16.195
  • 172.217.16.163
whitelisted
accounts.google.com
  • 172.217.23.141
shared
www.google.com.ua
  • 172.217.22.3
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
apis.google.com
  • 216.58.206.14
whitelisted
ogs.google.com
  • 172.217.16.142
whitelisted
fonts.gstatic.com
  • 172.217.23.99
whitelisted
www.screenrecordings.com
  • 23.101.151.240
unknown
www.google.com
  • 172.217.22.100
whitelisted

Threats

PID
Process
Class
Message
3072
chrome.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Encryption)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Auth)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Auth)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Encryption)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Process
Message
Windscribe.exe
[{gmt_time} 0.063] [basic] App start time: "Fri Feb 21 19:22:27 2020"
Windscribe.exe
[{gmt_time} 0.063] [basic] OS Version: "Windows 7 Service Pack 1 (major: 6, minor: 1) (build: 7601)"
Windscribe.exe
[{gmt_time} 0.224] [basic] Gui user settings: ""
Windscribe.exe
[{gmt_time} 0.224] [basic] Gui settings: ""
Windscribe.exe
[{gmt_time} 0.896] [basic] Updated scaled hashes for LDPIs: ""
Windscribe.exe
[{gmt_time} 1.447] [basic] Gui internal settings: ""
Windscribe.exe
[{gmt_time} 1.456] [gui] Disabled Split Tunneling
Windscribe.exe
[{gmt_time} 1.463] [basic] Backend::init()
Windscribe.exe
[{gmt_time} 1.610] [basic] Backend::onProcessStarted()
Windscribe.exe
[{gmt_time} 1.610] [basic] MainWindowController::changeWindow: 1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Windscribe_2.0_beta.exe