analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windscribe_2.0_beta.exe

Full analysis: https://app.any.run/tasks/38f33b39-7a2a-4c97-85f4-0fa3f5b77d31
Verdict: Malicious activity
Analysis date: February 21, 2020, 20:45:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7218CDF313B7FD0B84F83E7A2ABD67C8

SHA1:

4548F29430E44FA03E7DEE4619D8DCD56E0A7B96

SHA256:

A800DEE98F1F3753175D5DD4FE197CE8C180A29E8051E4590F9DB953C4E360DF

SSDEEP:

196608:NEzAr9+pBAVVj3nI4dyL/v7EgS8CxB/Yn6goNr0pSwuMN/2k9+23JeMK:N6yo8VfkP3hCxmn6gK0ruMx9hPK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tapinstall.exe (PID: 2788)
      • subinacl.exe (PID: 3144)
      • bdcamsetup.exe (PID: 952)
      • bdcamsetup.exe (PID: 2844)
      • bdcam.exe (PID: 3904)
      • bdcam.exe (PID: 2716)
      • tapinstall.exe (PID: 3428)
      • BDMPEG1SETUP.EXE (PID: 2768)
      • Windscribe.exe (PID: 3012)
      • WindscribeEngine.exe (PID: 3276)
      • WindscribeLauncher.exe (PID: 576)
      • windscribeopenvpn_2_4_8.exe (PID: 3392)
      • windscribeopenvpn_2_5_0.exe (PID: 1848)
      • WindscribeService.exe (PID: 528)

    • Registers / Runs the DLL via REGSVR32.EXE

      • BDMPEG1SETUP.EXE (PID: 2768)

    • Loads dropped or rewritten executable

      • BDMPEG1SETUP.EXE (PID: 2768)
      • bdcam.exe (PID: 3904)
      • rundll32.exe (PID: 2748)
      • bdcamsetup.exe (PID: 2844)
      • bdcam.exe (PID: 2716)
      • WindscribeLauncher.exe (PID: 576)
      • WindscribeEngine.exe (PID: 3276)
      • windscribeopenvpn_2_4_8.exe (PID: 3392)
      • Windscribe.exe (PID: 3012)
      • windscribeopenvpn_2_5_0.exe (PID: 1848)
      • WerFault.exe (PID: 2316)

    • Changes settings of System certificates

      • bdcam.exe (PID: 2716)
      • tapinstall.exe (PID: 2788)

    • Changes the autorun value in the registry

      • Windscribe_2.0_beta.exe (PID: 2888)
      • Windscribe.exe (PID: 3012)

    • Writes to the hosts file

      • WindscribeService.exe (PID: 528)

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • Windscribe_2.0_beta.exe (PID: 2888)

    • Creates or modifies windows services

      • Windscribe_2.0_beta.exe (PID: 2888)

    • Creates files in the program directory

      • Windscribe_2.0_beta.exe (PID: 2888)
      • BDMPEG1SETUP.EXE (PID: 2768)
      • bdcamsetup.exe (PID: 2844)
      • WindscribeService.exe (PID: 528)
      • WerFault.exe (PID: 2316)

    • Executable content was dropped or overwritten

      • Windscribe_2.0_beta.exe (PID: 2888)
      • tapinstall.exe (PID: 2788)
      • DrvInst.exe (PID: 2824)
      • chrome.exe (PID: 2288)
      • chrome.exe (PID: 3596)
      • BDMPEG1SETUP.EXE (PID: 2768)
      • bdcamsetup.exe (PID: 2844)
      • DrvInst.exe (PID: 3000)
      • tapinstall.exe (PID: 3428)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 3464)

    • Executed as Windows Service

      • vssvc.exe (PID: 1504)
      • WindscribeService.exe (PID: 528)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 2824)
      • BDMPEG1SETUP.EXE (PID: 2768)
      • DrvInst.exe (PID: 3000)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 3464)
      • Windscribe_2.0_beta.exe (PID: 2888)
      • WindscribeService.exe (PID: 528)
      • WerFault.exe (PID: 2316)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 2824)
      • bdcam.exe (PID: 3904)
      • DrvInst.exe (PID: 1544)

    • Executed via COM

      • DrvInst.exe (PID: 2824)
      • DrvInst.exe (PID: 3000)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 3464)
      • DllHost.exe (PID: 2396)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2824)
      • DrvInst.exe (PID: 3000)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 3464)
      • Windscribe_2.0_beta.exe (PID: 2888)
      • WindscribeService.exe (PID: 528)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2824)
      • DrvInst.exe (PID: 3000)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 3464)
      • Windscribe_2.0_beta.exe (PID: 2888)
      • WerFault.exe (PID: 2316)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2288)

    • Creates COM task schedule object

      • BDMPEG1SETUP.EXE (PID: 2768)

    • Creates a software uninstall entry

      • BDMPEG1SETUP.EXE (PID: 2768)
      • bdcamsetup.exe (PID: 2844)
      • Windscribe_2.0_beta.exe (PID: 2888)

    • Modifies the open verb of a shell class

      • bdcam.exe (PID: 3904)

    • Changes IE settings (feature browser emulation)

      • bdcamsetup.exe (PID: 2844)

    • Starts Internet Explorer

      • bdcamsetup.exe (PID: 2844)
      • Windscribe.exe (PID: 3012)

    • Reads Internet Cache Settings

      • bdcamsetup.exe (PID: 2844)
      • bdcam.exe (PID: 2716)

    • Reads internet explorer settings

      • bdcam.exe (PID: 2716)

    • Adds / modifies Windows certificates

      • bdcam.exe (PID: 2716)
      • tapinstall.exe (PID: 2788)

    • Creates files in the user directory

      • bdcam.exe (PID: 2716)
      • WindscribeEngine.exe (PID: 3276)

    • Uses TASKKILL.EXE to kill process

      • WindscribeService.exe (PID: 528)

    • Uses WMIC.EXE to obtain a system information

      • WindscribeService.exe (PID: 528)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 2288)
      • WindscribeLauncher.exe (PID: 576)
      • chrome.exe (PID: 2744)

    • Reads settings of System Certificates

      • tapinstall.exe (PID: 2788)
      • chrome.exe (PID: 2288)
      • chrome.exe (PID: 3596)
      • iexplore.exe (PID: 3784)
      • bdcam.exe (PID: 2716)

    • Reads the hosts file

      • chrome.exe (PID: 2288)
      • chrome.exe (PID: 3596)
      • WindscribeEngine.exe (PID: 3276)
      • WindscribeService.exe (PID: 528)
      • chrome.exe (PID: 3164)
      • chrome.exe (PID: 2744)

    • Application launched itself

      • chrome.exe (PID: 2288)
      • iexplore.exe (PID: 2472)
      • iexplore.exe (PID: 3356)
      • chrome.exe (PID: 2744)

    • Searches for installed software

      • DrvInst.exe (PID: 2824)
      • DrvInst.exe (PID: 1544)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1504)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2288)
      • iexplore.exe (PID: 2472)
      • iexplore.exe (PID: 3784)
      • iexplore.exe (PID: 3356)
      • iexplore.exe (PID: 836)

    • Changes internet zones settings

      • iexplore.exe (PID: 2472)
      • iexplore.exe (PID: 3356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:21 00:53:26+01:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 381952
InitializedDataSize: 13909504
UninitializedDataSize: -
EntryPoint: 0x23b4b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.14
ProductVersionNumber: 2.0.0.14
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Windscribe Limited
FileDescription: Windscribe Installer
FileVersion: 2.0.0.14
LegalCopyright: Copyright (C) 2019 Windscribe Limited
OriginalFileName: Windscribe.exe
ProductName: Windscribe
ProductVersion: 2.0.0.14

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Feb-2020 23:53:26
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Work\client-desktop-installer\installer-release\installer.pdb
CompanyName: Windscribe Limited
FileDescription: Windscribe Installer
FileVersion: 2.0.0.14
LegalCopyright: Copyright (C) 2019 Windscribe Limited
OriginalFilename: Windscribe.exe
ProductName: Windscribe
ProductVersion: 2.0.0.14

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Feb-2020 23:53:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0005D22D
0x0005D400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70906
.rdata
0x0005F000
0x0001A084
0x0001A200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.59618
.data
0x0007A000
0x000059C0
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.4877
.rsrc
0x00080000
0x00D1F428
0x00D1F600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98994
.reloc
0x00DA0000
0x00004A14
0x00004C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.61054

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.02293
559
UNKNOWN
English - United States
RT_MANIFEST
2
3.64946
67624
UNKNOWN
English - United States
RT_ICON
3
3.87618
16936
UNKNOWN
English - United States
RT_ICON
4
4.12656
9640
UNKNOWN
English - United States
RT_ICON
5
4.52198
4264
UNKNOWN
English - United States
RT_ICON
6
4.98123
1128
UNKNOWN
English - United States
RT_ICON
34465
2.79908
90
UNKNOWN
English - United States
RT_GROUP_ICON
34466
5.8429
107988
UNKNOWN
English - United States
BINARY
34467
5.86023
107732
UNKNOWN
English - United States
BINARY
BADGE_ICON
4.9052
1904
UNKNOWN
English - United States
RT_RCDATA

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
UxTheme.dll
dwmapi.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
89
Malicious processes
18
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start windscribe_2.0_beta.exe no specs windscribe_2.0_beta.exe sc.exe no specs sc.exe no specs subinacl.exe no specs tapinstall.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs drvinst.exe rundll32.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs vssvc.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs bdcamsetup.exe no specs bdcamsetup.exe bdmpeg1setup.exe regsvr32.exe no specs chrome.exe no specs bdcam.exe no specs drvinst.exe rundll32.exe no specs chrome.exe no specs bdcam.exe iexplore.exe no specs tapinstall.exe iexplore.exe drvinst.exe rundll32.exe no specs Shell Security Editor no specs drvinst.exe runonce.exe no specs grpconv.exe no specs windscribelauncher.exe no specs windscribe.exe windscribeengine.exe windscribeopenvpn_2_4_8.exe no specs windscribeopenvpn_2_5_0.exe no specs windscribeservice.exe taskkill.exe no specs taskkill.exe no specs iexplore.exe no specs iexplore.exe wmic.exe no specs werfault.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Users\admin\Desktop\Windscribe_2.0_beta.exe" C:\Users\admin\Desktop\Windscribe_2.0_beta.exeexplorer.exe
User:
admin
Company:
Windscribe Limited
Integrity Level:
MEDIUM
Description:
Windscribe Installer
Exit code:
3221226540
Version:
2.0.0.14
2888"C:\Users\admin\Desktop\Windscribe_2.0_beta.exe" C:\Users\admin\Desktop\Windscribe_2.0_beta.exe
explorer.exe
User:
admin
Company:
Windscribe Limited
Integrity Level:
HIGH
Description:
Windscribe Installer
Exit code:
0
Version:
2.0.0.14
3488"sc" create WindscribeService binPath= "C:\Program Files\Windscribe\WindscribeService.exe" start= autoC:\Windows\system32\sc.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2288"sc" description WindscribeService "Manages the firewall and controls the VPN tunnel"C:\Windows\system32\sc.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144"C:\Program Files\Windscribe\subinacl" /SERVICE WindscribeService /grant=S-1-5-11=STOC:\Program Files\Windscribe\subinacl.exeWindscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
SubInAcl
Exit code:
0
Version:
5.2.3790.1180
2788"C:\Program Files\Windscribe\tap\tapinstall.exe" install OemVista.inf tapwindscribe0901C:\Program Files\Windscribe\tap\tapinstall.exe
Windscribe_2.0_beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 (win7_wdk.100208-1538)
2288"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3440"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ebaa9d0,0x6ebaa9e0,0x6ebaa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3448"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3232 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,11141533465380226909,14711540684161579297,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=10066061029132807267 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
7 539
Read events
4 163
Write events
0
Delete events
0

Modification events

No data
Executable files
120
Suspicious files
99
Text files
982
Unknown types
58

Dropped files

PID
Process
Filename
Type
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\wintun\wintun.catcat
MD5:12FAFC9E9A774157ED17451900E91271
SHA256:82201C358D0C8F096409E76247CEC36B37EA52844C2A96A873FE552105E52DDE
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\splittunnel\windscribesplittunnel.catcat
MD5:C35C54EFC45CEEE76769A7B1C57E8C8D
SHA256:D82D125F5C87DEEC263B1939463CB78BBEB7F6EE65E8A5B7E9C52B6F5EA5875A
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\wintun\wintun.infbinary
MD5:751C58EF5E9FC2F95657C69EEF9CAD66
SHA256:0D027B050922E0D8A098020074FFEEFF8B487A2C93608D756487FA9200097BF0
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\splittunnel\WindscribeSplitTunnel.infini
MD5:7AB8650946B8174A9088429E4D6D4808
SHA256:8A930E956D582FD6096994771F54D2846ED6B0ACE8C0CB1B33B280BD1E223B75
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\tap\tapwindscribe0901.catcat
MD5:4061C3E87FBD50D8E26A456D661BA3C0
SHA256:571F31845D1259A672F4EC9DF57DC76D38D79CA0457DE4B3B75F6B7C7AED3B5C
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:A960E117840ACB5FF1D2DCFBBE574E21
SHA256:5695695176A80A3E7F9EAC80BB3D92DF1A5592BE42B939B14087A3A6AE6EFADF
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:72F8626388893A536D0EE370ACC9E456
SHA256:5C9D7085295DAE9A9B2D3A9C66D99D0061D0BA14F218B95E95E8B01BB7204C87
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:5BF7AAFD1E8AB7B806DBA539A0B33474
SHA256:D9100E99B2B915623294E18377D162AFE9FD354BF0C4A7208F1270721714A553
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:2A3DA8E1CD09ACA0FC13BE43848C7695
SHA256:C3F671D3B41FFFA444A33F79C0E65DF7CA01E56598E4B2F90E7AF18C77B97652
2888Windscribe_2.0_beta.exeC:\Program Files\Windscribe\tap\OemVista.infbinary
MD5:B830F755018F844DE3BA42EAE5150F6E
SHA256:145AF2483D5322AFF169A91D6EBBB4E504CDE5DFB846C960D051A98596B237EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
183
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3596
chrome.exe
GET
301
104.20.150.33:80
http://c.statcounter.com/3541212/0/872cdcc5/1/
US
whitelisted
3596
chrome.exe
GET
200
87.245.200.147:80
http://r8---sn-gxuog0-n8vl.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-gxuog0-n8vl&ms=nvh&mt=1582317913&mv=m&mvi=7&pl=23&shardbypass=yes
RU
crx
293 Kb
whitelisted
2716
bdcam.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
2716
bdcam.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCgdZM8AVzzKAgAAAAALnDU
US
der
472 b
whitelisted
2716
bdcam.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3596
chrome.exe
GET
301
144.76.226.41:80
http://www.filedropper.com/
DE
html
236 b
suspicious
3596
chrome.exe
GET
302
216.58.207.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
515 b
whitelisted
2716
bdcam.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
3596
chrome.exe
GET
302
216.58.207.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
536 b
whitelisted
3596
chrome.exe
GET
200
87.245.200.144:80
http://r5---sn-gxuog0-n8vl.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-gxuog0-n8vl&ms=nvh&mt=1582317913&mv=m&mvi=4&pcm2cms=yes&pl=23&shardbypass=yes
RU
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3596
chrome.exe
172.217.16.196:443
www.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.22.35:443
www.google.com.ua
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.208.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.18.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.18.99:443
www.google.lt
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.22.109:443
accounts.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.22.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.210.14:443
apis.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.22.99:443
www.gstatic.com
Google Inc.
US
whitelisted
3596
chrome.exe
143.204.202.68:443
dl.bandicam.com
US
malicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.208.35
whitelisted
accounts.google.com
  • 172.217.22.109
shared
www.google.com.ua
  • 172.217.22.35
whitelisted
dl.bandicam.com
  • 143.204.202.68
  • 143.204.202.93
  • 143.204.202.41
  • 143.204.202.19
whitelisted
www.google.com
  • 172.217.16.196
  • 172.217.16.132
whitelisted
www.google.lt
  • 172.217.18.99
whitelisted
fonts.googleapis.com
  • 172.217.22.42
whitelisted
www.gstatic.com
  • 172.217.22.99
whitelisted
fonts.gstatic.com
  • 172.217.18.3
whitelisted
ssl.gstatic.com
  • 172.217.22.99
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Encryption)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Auth)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Auth)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Encryption)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (Encryption)
Generic Protocol Command Decode
SURICATA IKEv2 weak cryptographic parameters (PRF)
Process
Message
Windscribe.exe
[{gmt_time} 0.137] [basic] App start time: "Fri Feb 21 20:48:41 2020"
Windscribe.exe
[{gmt_time} 0.137] [basic] OS Version: "Windows 7 Service Pack 1 (major: 6, minor: 1) (build: 7601)"
Windscribe.exe
[{gmt_time} 0.431] [basic] Gui user settings: ""
Windscribe.exe
[{gmt_time} 0.432] [basic] Gui settings: ""
Windscribe.exe
[{gmt_time} 1.198] [basic] Updated scaled hashes for LDPIs: ""
Windscribe.exe
[{gmt_time} 2.098] [basic] Gui internal settings: ""
Windscribe.exe
[{gmt_time} 2.114] [gui] Disabled Split Tunneling
Windscribe.exe
[{gmt_time} 2.132] [basic] Backend::init()
Windscribe.exe
[{gmt_time} 3.824] [basic] Backend::onProcessStarted()
Windscribe.exe
[{gmt_time} 3.824] [basic] MainWindowController::changeWindow: 1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Windscribe_2.0_beta.exe