Malware analysis https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file Malicious activity

Add for printing

URL:	https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file
Full analysis:	https://app.any.run/tasks/c588462f-324a-4c43-a806-18e3d5434ac7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 16, 2024, 00:11:38
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader
Indicators:
MD5:	937088D7135C786836069AA09C87F9B1
SHA1:	F9BB40A0CCFB05787918C9E04E902972FE98F0FD
SHA256:	23C8B9568DA1A4D17DA07F510AEA5A545CB2B8456AFC87EAC79D23892DF8C8DD
SSDEEP:	3:N8DSLw3eGUocqlKtAwb0YUXAIRzTkX6UPGRS4kGySYhXe4R:2OLw3eGnlKtAwb0fzTkoo4kIY9R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
  - setup.exe (PID: 2528)
  - BetternetSvc.exe (PID: 2244)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Creates a writable file in the system directory
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - BetternetSvc.exe (PID: 2244)
- Changes the autorun value in the registry
  - drvinst.exe (PID: 2260)
- Scans artifacts that could help determine the target
  - msedgewebview2.exe (PID: 1336)
- The DLL Hijacking
  - msedgewebview2.exe (PID: 1572)
  - msedgewebview2.exe (PID: 2648)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
- Executable content was dropped or overwritten
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
  - setup.exe (PID: 2528)
  - BetternetSvc.exe (PID: 2244)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- The process creates files with name similar to system file names
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
- Executes as Windows Service
  - VSSVC.exe (PID: 2448)
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - BetternetSvc.exe (PID: 2244)
- Checks Windows Trust Settings
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
- Drops a system driver (possible attempt to evade defenses)
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
- Creates files in the driver directory
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 1928)
- Disables SEHOP
  - MicrosoftEdgeUpdate.exe (PID: 1928)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 1928)
- Process drops legitimate windows executable
  - MicrosoftEdgeUpdate.exe (PID: 1928)
  - setup.exe (PID: 2528)
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdate.exe (PID: 2156)
- Creates a software uninstall entry
  - MicrosoftEdgeUpdate.exe (PID: 1928)
  - setup.exe (PID: 2528)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Reads security settings of Internet Explorer
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
- Searches for installed software
  - setup.exe (PID: 2528)
  - msedgewebview2.exe (PID: 1336)
- Application launched itself
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - msedgewebview2.exe (PID: 1336)
- Reads the BIOS version
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 3464)
- Starts CMD.EXE for commands execution
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Reads the Internet Settings
  - msedgewebview2.exe (PID: 1336)
  - cmd.exe (PID: 3748)
- Reads settings of System Certificates
  - msedgewebview2.exe (PID: 1336)
INFO
- The process uses the downloaded file
  - iexplore.exe (PID: 3864)
  - WinRAR.exe (PID: 2112)
- Application launched itself
  - iexplore.exe (PID: 3864)
  - msedge.exe (PID: 2588)
  - msedge.exe (PID: 3716)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2112)
  - msiexec.exe (PID: 1592)
- Checks supported languages
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - ns69B0.tmp (PID: 2500)
  - tapinstall.exe (PID: 1220)
  - ns6A2E.tmp (PID: 2744)
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 1928)
  - MicrosoftEdgeUpdate.exe (PID: 2960)
  - MicrosoftEdgeUpdate.exe (PID: 2156)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
  - MicrosoftEdgeUpdate.exe (PID: 2652)
  - setup.exe (PID: 2528)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
  - BetternetNtf.exe (PID: 2752)
  - msedgewebview2.exe (PID: 1336)
  - msedgewebview2.exe (PID: 1572)
  - msedgewebview2.exe (PID: 2884)
  - msedgewebview2.exe (PID: 1936)
  - msedgewebview2.exe (PID: 1796)
  - msedgewebview2.exe (PID: 1892)
  - msedgewebview2.exe (PID: 2648)
- Manual execution by a user
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - explorer.exe (PID: 1768)
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 764)
  - WinRAR.exe (PID: 2112)
  - Betternet VPN Premium Activation Tool.exe (PID: 1484)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
  - msedgewebview2.exe (PID: 1336)
  - msedge.exe (PID: 3716)
- Create files in a temporary directory
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - msiexec.exe (PID: 1592)
  - tapinstall.exe (PID: 1808)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
  - msedgewebview2.exe (PID: 1336)
- Reads the computer name
  - Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
  - tapinstall.exe (PID: 1808)
  - tapinstall.exe (PID: 1220)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 1928)
  - MicrosoftEdgeUpdate.exe (PID: 2960)
  - MicrosoftEdgeUpdate.exe (PID: 2156)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 2652)
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
  - setup.exe (PID: 2528)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
  - BetternetNtf.exe (PID: 2752)
  - msedgewebview2.exe (PID: 1572)
  - msedgewebview2.exe (PID: 1336)
  - msedgewebview2.exe (PID: 2648)
  - msedgewebview2.exe (PID: 1796)
- Reads the software policy settings
  - msiexec.exe (PID: 1592)
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - rundll32.exe (PID: 2320)
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 3096)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
  - msedgewebview2.exe (PID: 1336)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 1592)
- Reads the machine GUID from the registry
  - tapinstall.exe (PID: 1808)
  - drvinst.exe (PID: 2728)
  - drvinst.exe (PID: 2260)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
  - BetternetSvc.exe (PID: 2244)
  - BetternetNtf.exe (PID: 2752)
  - msedgewebview2.exe (PID: 1336)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 1592)
  - WinRAR.exe (PID: 2112)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 3864)
- Reads Environment values
  - drvinst.exe (PID: 2260)
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
  - BetternetSvc.exe (PID: 2244)
  - msedgewebview2.exe (PID: 1336)
- Checks proxy server information
  - MicrosoftEdgeUpdate.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 1624)
- Creates files in the program directory
  - MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
  - setup.exe (PID: 2528)
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
  - BetternetSvc.exe (PID: 2244)
  - msedgewebview2.exe (PID: 1336)
  - msedgewebview2.exe (PID: 2884)
  - msedgewebview2.exe (PID: 1796)
- Process checks whether UAC notifications are on
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Reads mouse settings
  - Betternet VPN Premium Activation Tool.exe (PID: 2808)
- Process checks computer location settings
  - msedgewebview2.exe (PID: 1336)
  - msedgewebview2.exe (PID: 1892)
- Reads product name
  - BetternetSvc.exe (PID: 2244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

159

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

712

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1316,i,11275711947859196319,4448916986936035848,131072 /prefetch:2

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

764

"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe"

C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe

—

explorer.exe

User:

admin

Company:

Pango Inc.

Integrity Level:

MEDIUM

Description:

Betternet for Windows

Exit code:

3221226540

Version:

8.8.1.1322

Modules

Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll

876

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:8

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1036

"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe"

C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe

explorer.exe

User:

admin

Company:

Pango Inc.

Integrity Level:

HIGH

Description:

Betternet for Windows

Exit code:

Version:

8.8.1.1322

Modules

Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

1220

"C:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exe" hwids bntap

C:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exe

—

ns69B0.tmp

User:

SYSTEM

Company:

Windows (R) Win 7 DDK provider

Integrity Level:

SYSTEM

Description:

Windows Setup API

Exit code:

Version:

10.0.10011.16384

Modules

Images
c:\program files\betternet tap-windows\bin\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1232

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:2

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1336

"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-named-platform-channel-pipe=3584.3356.13953785763381325739

C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge WebView2

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1484

"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exe"

C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exe

—

explorer.exe

User:

admin

Company:

Dr.FarFar | www.Dr-FarFar.com

Integrity Level:

MEDIUM

Description:

Betternet VPN Premium Activation Tool (ViP)

Exit code:

3221226540

Version:

8.8.1.1322

Modules

Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\crack\betternet vpn premium activation tool.exe
c:\windows\system32\ntdll.dll

1548

"C:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe

MicrosoftEdgeUpdate.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Edge Installer

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\program files\microsoft\edgeupdate\install\{71f3bdef-756d-4292-866f-cdfe9e495831}\microsoftedge_x86_109.0.1518.140.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1572

"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1196,i,6264612852101558029,4018079802908211096,131072 /prefetch:2

C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe

—

msedgewebview2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge WebView2

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

97 387

Read events

92 975

Write events

4 132

Delete events

280

Modification events


(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 1
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31088748
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31088748
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

118

Suspicious files

158

Text files

245

Unknown types

116

Dropped files

PID	Process	Filename		Type
3952	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DPNGCS21.txt		text
		MD5:33583B51CFDEE5F0679C4DE61C7314CB	SHA256:29281E2D7F072C271FBA2C521FB812BEF103DC458D496E4A229FAAA3305577EE
3952	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\FWJ3X05F.txt		text
		MD5:41255F85577F9259C5348F4A82AC23FE	SHA256:63A4B229C835C177DD78CC322890F0BCE29E4DD9D7620C94D11475A1F060DFAD
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27		binary
		MD5:3E123D437516D0FB7645A55B8D585266	SHA256:B1A5552B8F3EC2C00338CAAB650BC0E1BF66B60192382D2660C7126BFF7943FE
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27		binary
		MD5:D996757BD8A6700996AB7316676CB035	SHA256:720E3358EB0149DAA6302AD7B11DC65B37E42207C248C80F0009D2E182465319
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA		binary
		MD5:AC89A852C2AAA3D389B2D2DD312AD367	SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
3952	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\file[1].htm		html
		MD5:ED1FD2CA3BEFCA81F820949415368FB4	SHA256:678DB00F419F228A1E132D28FE6628249F9633D4C124D57A198C403D1968012B
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA		binary
		MD5:53AABDA618FD6EC4F01E2CF595E4313F	SHA256:E8F7087354144C1D117CEB0E2F8EA56A65E866676A1EFF6F3B1A4BC70456BE71
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B		binary
		MD5:934EE60BC22F8BABFF6E6138B14F9C4A	SHA256:D622E9B0A8B69A1CA493D8906399BD3F4BE70C738B2BD11DE6E37A10044B14B1
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:E4F9105EED7BB0C908FAEAC3C5213D9C	SHA256:2E94FA1D73706167AE91DEE0871A7408839B7C9AC387B7DF8931AABEE80D6DBB
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:22E5FC9D188A4294578FF8C519ADE71E	SHA256:D105897A01241C6F1BD559621235364126F5A36C6B9D92A49303FEA30EEA748B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

158

DNS requests

147

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3952	iexplore.exe	GET	304	95.101.54.105:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?14266dff8470122f	unknown	—	—	unknown
3952	iexplore.exe	GET	304	95.101.54.105:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c9f2b763ba05a2db	unknown	—	—	unknown
3952	iexplore.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D	unknown	binary	2.18 Kb	unknown
3952	iexplore.exe	GET	200	142.250.185.131:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	unknown	binary	724 b	unknown
3952	iexplore.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	binary	1.42 Kb	unknown
3952	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	unknown	binary	1.47 Kb	unknown
3952	iexplore.exe	GET	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCG5mYmc5exBwr3zurLpXnC	unknown	binary	472 b	unknown
3952	iexplore.exe	GET	200	142.250.185.131:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	binary	1.41 Kb	unknown
3952	iexplore.exe	GET	200	142.250.185.131:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D	unknown	binary	724 b	unknown
3952	iexplore.exe	GET	200	142.250.185.131:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D	unknown	binary	724 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3952	iexplore.exe	104.16.113.74:443	static.mediafire.com	CLOUDFLARENET	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3952	iexplore.exe	95.101.54.105:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
3952	iexplore.exe	104.18.38.233:80	ocsp.comodoca.com	CLOUDFLARENET	—	shared
3952	iexplore.exe	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	unknown
3952	iexplore.exe	172.67.199.186:443	the.gatekeeperconsent.com	CLOUDFLARENET	US	unknown
3952	iexplore.exe	142.250.186.72:443	www.googletagmanager.com	GOOGLE	US	unknown
3952	iexplore.exe	172.67.41.60:443	btloader.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
www.mediafire.com	216.239.36.178 216.239.34.178 216.239.38.178 216.239.32.178	shared
ctldl.windowsupdate.com	95.101.54.105 95.101.54.113 93.184.221.240	whitelisted
ocsp.comodoca.com	104.18.38.233 172.64.149.23	whitelisted
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted
the.gatekeeperconsent.com	172.67.199.186 104.21.42.32	unknown
www.googletagmanager.com	142.250.186.72	whitelisted
btloader.com	172.67.41.60 104.22.74.216 104.22.75.216	whitelisted
www.ezojs.com	172.64.96.6 172.64.97.6	unknown
translate.google.com	142.250.185.78	whitelisted
static.cloudflareinsights.com	104.16.56.101 104.16.57.101	whitelisted

Threats

PID	Process	Class	Message
1080	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1080	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
856	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
msedgewebview2.exe	RecursiveDirectoryCreate( C:\ProgramData\Betternet\user directory exists )

General Info

https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file

937088D7135C786836069AA09C87F9B1

F9BB40A0CCFB05787918C9E04E902972FE98F0FD

23C8B9568DA1A4D17DA07F510AEA5A545CB2B8456AFC87EAC79D23892DF8C8DD

3:N8DSLw3eGUocqlKtAwb0YUXAIRzTkX6UPGRS4kGySYhXe4R:2OLw3eGnlKtAwb0fzTkoo4kIY9R

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

Changes the autorun value in the registry

Scans artifacts that could help determine the target

The DLL Hijacking

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Executes as Windows Service

Checks Windows Trust Settings

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Starts a Microsoft application from unusual location

Disables SEHOP

Starts itself from another location

Process drops legitimate windows executable

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Reads security settings of Internet Explorer

Searches for installed software

Application launched itself

Reads the BIOS version

Uses TASKKILL.EXE to kill process

Starts CMD.EXE for commands execution

Reads the Internet Settings

Reads settings of System Certificates

INFO

The process uses the downloaded file

Application launched itself

Drops the executable file immediately after the start

Checks supported languages

Manual execution by a user

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Modifies the phishing filter of IE

Reads Environment values

Checks proxy server information

Creates files in the program directory

Process checks whether UAC notifications are on

Reads mouse settings

Process checks computer location settings

Reads product name

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information