URL:

https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file

Full analysis: https://app.any.run/tasks/c588462f-324a-4c43-a806-18e3d5434ac7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 16, 2024, 00:11:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

937088D7135C786836069AA09C87F9B1

SHA1:

F9BB40A0CCFB05787918C9E04E902972FE98F0FD

SHA256:

23C8B9568DA1A4D17DA07F510AEA5A545CB2B8456AFC87EAC79D23892DF8C8DD

SSDEEP:

3:N8DSLw3eGUocqlKtAwb0YUXAIRzTkX6UPGRS4kGySYhXe4R:2OLw3eGnlKtAwb0fzTkoo4kIY9R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • BetternetSvc.exe (PID: 2244)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • BetternetSvc.exe (PID: 2244)

    • Changes the autorun value in the registry

      • drvinst.exe (PID: 2260)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 1336)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1572)
      • msedgewebview2.exe (PID: 2648)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)

    • Executable content was dropped or overwritten

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • BetternetSvc.exe (PID: 2244)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • The process creates files with name similar to system file names

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2448)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • BetternetSvc.exe (PID: 2244)

    • Checks Windows Trust Settings

      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)

    • Drops a system driver (possible attempt to evade defenses)

      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Process drops legitimate windows executable

      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Creates a software uninstall entry

      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • setup.exe (PID: 2528)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • msedgewebview2.exe (PID: 1336)

    • Reads the BIOS version

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 2156)

    • Searches for installed software

      • setup.exe (PID: 2528)
      • msedgewebview2.exe (PID: 1336)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3464)

    • Reads the Internet Settings

      • msedgewebview2.exe (PID: 1336)
      • cmd.exe (PID: 3748)

    • Reads settings of System Certificates

      • msedgewebview2.exe (PID: 1336)

    • Starts CMD.EXE for commands execution

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2112)
      • msiexec.exe (PID: 1592)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2112)
      • iexplore.exe (PID: 3864)

    • Manual execution by a user

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 764)
      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • explorer.exe (PID: 1768)
      • WinRAR.exe (PID: 2112)
      • Betternet VPN Premium Activation Tool.exe (PID: 1484)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • msedgewebview2.exe (PID: 1336)
      • msedge.exe (PID: 3716)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3864)

    • Application launched itself

      • iexplore.exe (PID: 3864)
      • msedge.exe (PID: 2588)
      • msedge.exe (PID: 3716)

    • Create files in a temporary directory

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • msiexec.exe (PID: 1592)
      • tapinstall.exe (PID: 1808)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • msedgewebview2.exe (PID: 1336)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1592)

    • Reads the software policy settings

      • msiexec.exe (PID: 1592)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • rundll32.exe (PID: 2320)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)
      • MicrosoftEdgeUpdate.exe (PID: 1624)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2112)
      • msiexec.exe (PID: 1592)

    • Checks supported languages

      • ns6A2E.tmp (PID: 2744)
      • tapinstall.exe (PID: 1808)
      • ns69B0.tmp (PID: 2500)
      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • drvinst.exe (PID: 2260)
      • tapinstall.exe (PID: 1220)
      • MicrosoftEdgeUpdate.exe (PID: 2960)
      • MicrosoftEdgeUpdate.exe (PID: 2156)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 2652)
      • drvinst.exe (PID: 2728)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • BetternetSvc.exe (PID: 2244)
      • BetternetNtf.exe (PID: 2752)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 2884)
      • msedgewebview2.exe (PID: 1572)
      • msedgewebview2.exe (PID: 1796)
      • msedgewebview2.exe (PID: 1936)
      • msedgewebview2.exe (PID: 2648)
      • msedgewebview2.exe (PID: 1892)

    • Reads the computer name

      • tapinstall.exe (PID: 1220)
      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 2960)
      • MicrosoftEdgeUpdate.exe (PID: 2156)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 2652)
      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)
      • BetternetNtf.exe (PID: 2752)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1572)
      • msedgewebview2.exe (PID: 1796)
      • msedgewebview2.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • tapinstall.exe (PID: 1808)
      • BetternetNtf.exe (PID: 2752)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads Environment values

      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)

    • Creates files in the program directory

      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 2884)
      • msedgewebview2.exe (PID: 1796)

    • Process checks whether UAC notifications are on

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads mouse settings

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads product name

      • BetternetSvc.exe (PID: 2244)

    • Process checks computer location settings

      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
59
Malicious processes
12
Suspicious processes
4

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe explorer.exe no specs winrar.exe betternet vpn premium v8.8.1.1322.exe no specs betternet vpn premium v8.8.1.1322.exe msiexec.exe vssvc.exe no specs ns69b0.tmp no specs tapinstall.exe no specs ns6a2e.tmp no specs tapinstall.exe drvinst.exe rundll32.exe no specs drvinst.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedge_x86_109.0.1518.140.exe setup.exe betternet vpn premium activation tool.exe no specs betternet vpn premium activation tool.exe microsoftedgeupdate.exe cmd.exe no specs taskkill.exe no specs betternetsvc.exe betternetntf.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
712"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1316,i,11275711947859196319,4448916986936035848,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
764"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exeexplorer.exe
User:
admin
Company:
Pango Inc.
Integrity Level:
MEDIUM
Description:
Betternet for Windows
Exit code:
3221226540
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll
876"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe
explorer.exe
User:
admin
Company:
Pango Inc.
Integrity Level:
HIGH
Description:
Betternet for Windows
Exit code:
0
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1220"C:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exe" hwids bntapC:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exens69B0.tmp
User:
SYSTEM
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
SYSTEM
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10011.16384
Modules
Images
c:\program files\betternet tap-windows\bin\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1232"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1336"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-named-platform-channel-pipe=3584.3356.13953785763381325739C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1484"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exeexplorer.exe
User:
admin
Company:
Dr.FarFar | www.Dr-FarFar.com
Integrity Level:
MEDIUM
Description:
Betternet VPN Premium Activation Tool (ViP)
Exit code:
3221226540
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\crack\betternet vpn premium activation tool.exe
c:\windows\system32\ntdll.dll
1548"C:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-levelC:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgeupdate\install\{71f3bdef-756d-4292-866f-cdfe9e495831}\microsoftedge_x86_109.0.1518.140.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1572"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1196,i,6264612852101558029,4018079802908211096,131072 /prefetch:2C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
97 387
Read events
92 975
Write events
4 132
Delete events
280

Modification events

(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31088748
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31088748
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
118
Suspicious files
158
Text files
245
Unknown types
116

Dropped files

PID
Process
Filename
Type
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9D576AF8E314F5668D07C8EE50B2B187
SHA256:AF320250E93947861E7E49866A201F9409FCB9907D105284140A13F39A5E64C5
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:934EE60BC22F8BABFF6E6138B14F9C4A
SHA256:D622E9B0A8B69A1CA493D8906399BD3F4BE70C738B2BD11DE6E37A10044B14B1
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:EEAEC5BB9C6DCA1C52A64C88AA91E674
SHA256:55AA984692C17C30CF47E8A48392ED1AF7A1D5AAB8E40078CEDEF74A36077DB3
3952iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\FWJ3X05F.txttext
MD5:41255F85577F9259C5348F4A82AC23FE
SHA256:63A4B229C835C177DD78CC322890F0BCE29E4DD9D7620C94D11475A1F060DFAD
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:3E123D437516D0FB7645A55B8D585266
SHA256:B1A5552B8F3EC2C00338CAAB650BC0E1BF66B60192382D2660C7126BFF7943FE
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_FC81B3040A3979C87E07C970CA7A4407der
MD5:8785C4F615F272A9BB770EA81CF94833
SHA256:C1655B4FFBE0328CC8CF3EA16A5DF9B91A6AF649B33A215CFB70F7CCEC800F76
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:6225C101B4E1DC63AACD140ACB5F500C
SHA256:114DD73F02FF610A1943E8445BC163724401B8F5DB4A9744945BB7B8C1373E3D
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:D996757BD8A6700996AB7316676CB035
SHA256:720E3358EB0149DAA6302AD7B11DC65B37E42207C248C80F0009D2E182465319
3952iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DPNGCS21.txttext
MD5:33583B51CFDEE5F0679C4DE61C7314CB
SHA256:29281E2D7F072C271FBA2C521FB812BEF103DC458D496E4A229FAAA3305577EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
158
DNS requests
147
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
iexplore.exe
GET
304
95.101.54.105:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?14266dff8470122f
unknown
unknown
3952
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
unknown
binary
2.18 Kb
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3952
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCG5mYmc5exBwr3zurLpXnC
unknown
binary
472 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
iexplore.exe
104.16.113.74:443
static.mediafire.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3952
iexplore.exe
95.101.54.105:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3952
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3952
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3952
iexplore.exe
172.67.199.186:443
the.gatekeeperconsent.com
CLOUDFLARENET
US
unknown
3952
iexplore.exe
142.250.186.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3952
iexplore.exe
172.67.41.60:443
btloader.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
www.mediafire.com
  • 216.239.36.178
  • 216.239.34.178
  • 216.239.38.178
  • 216.239.32.178
shared
ctldl.windowsupdate.com
  • 95.101.54.105
  • 95.101.54.113
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
the.gatekeeperconsent.com
  • 172.67.199.186
  • 104.21.42.32
unknown
www.googletagmanager.com
  • 142.250.186.72
whitelisted
btloader.com
  • 172.67.41.60
  • 104.22.74.216
  • 104.22.75.216
whitelisted
www.ezojs.com
  • 172.64.96.6
  • 172.64.97.6
unknown
translate.google.com
  • 142.250.185.78
whitelisted
static.cloudflareinsights.com
  • 104.16.56.101
  • 104.16.57.101
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
856
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\ProgramData\Betternet\user directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file