URL:

https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file

Full analysis: https://app.any.run/tasks/c588462f-324a-4c43-a806-18e3d5434ac7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 16, 2024, 00:11:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

937088D7135C786836069AA09C87F9B1

SHA1:

F9BB40A0CCFB05787918C9E04E902972FE98F0FD

SHA256:

23C8B9568DA1A4D17DA07F510AEA5A545CB2B8456AFC87EAC79D23892DF8C8DD

SSDEEP:

3:N8DSLw3eGUocqlKtAwb0YUXAIRzTkX6UPGRS4kGySYhXe4R:2OLw3eGnlKtAwb0fzTkoo4kIY9R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • BetternetSvc.exe (PID: 2244)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • BetternetSvc.exe (PID: 2244)

    • Changes the autorun value in the registry

      • drvinst.exe (PID: 2260)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1572)
      • msedgewebview2.exe (PID: 2648)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 1336)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • BetternetSvc.exe (PID: 2244)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)

    • The process creates files with name similar to system file names

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2448)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • BetternetSvc.exe (PID: 2244)

    • Checks Windows Trust Settings

      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2260)
      • drvinst.exe (PID: 2728)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)

    • Drops a system driver (possible attempt to evade defenses)

      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Process drops legitimate windows executable

      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Creates a software uninstall entry

      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • setup.exe (PID: 2528)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1928)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 2156)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • BetternetSvc.exe (PID: 2244)
      • MicrosoftEdgeUpdate.exe (PID: 1624)

    • Reads the BIOS version

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Searches for installed software

      • setup.exe (PID: 2528)
      • msedgewebview2.exe (PID: 1336)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • msedgewebview2.exe (PID: 1336)

    • Starts CMD.EXE for commands execution

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3464)

    • Reads settings of System Certificates

      • msedgewebview2.exe (PID: 1336)

    • Reads the Internet Settings

      • msedgewebview2.exe (PID: 1336)
      • cmd.exe (PID: 3748)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3864)
      • msedge.exe (PID: 2588)
      • msedge.exe (PID: 3716)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3864)

    • Checks supported languages

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1220)
      • ns6A2E.tmp (PID: 2744)
      • ns69B0.tmp (PID: 2500)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • MicrosoftEdgeUpdate.exe (PID: 2156)
      • MicrosoftEdgeUpdate.exe (PID: 2960)
      • MicrosoftEdgeUpdate.exe (PID: 2652)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)
      • BetternetNtf.exe (PID: 2752)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1572)
      • msedgewebview2.exe (PID: 2884)
      • msedgewebview2.exe (PID: 2648)
      • msedgewebview2.exe (PID: 1796)
      • msedgewebview2.exe (PID: 1936)
      • msedgewebview2.exe (PID: 1892)

    • Reads the computer name

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • tapinstall.exe (PID: 1220)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1928)
      • MicrosoftEdgeUpdate.exe (PID: 2960)
      • MicrosoftEdgeUpdate.exe (PID: 2156)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdgeUpdate.exe (PID: 2652)
      • setup.exe (PID: 2528)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetNtf.exe (PID: 2752)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1796)
      • msedgewebview2.exe (PID: 2648)
      • msedgewebview2.exe (PID: 1572)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3864)
      • WinRAR.exe (PID: 2112)

    • Manual execution by a user

      • explorer.exe (PID: 1768)
      • WinRAR.exe (PID: 2112)
      • Betternet VPN Premium v8.8.1.1322.exe (PID: 764)
      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • Betternet VPN Premium Activation Tool.exe (PID: 1484)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • msedgewebview2.exe (PID: 1336)
      • msedge.exe (PID: 3716)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2112)
      • msiexec.exe (PID: 1592)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2112)
      • msiexec.exe (PID: 1592)

    • Create files in a temporary directory

      • Betternet VPN Premium v8.8.1.1322.exe (PID: 1036)
      • msiexec.exe (PID: 1592)
      • tapinstall.exe (PID: 1808)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • msedgewebview2.exe (PID: 1336)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1592)

    • Reads the software policy settings

      • msiexec.exe (PID: 1592)
      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2260)
      • rundll32.exe (PID: 2320)
      • drvinst.exe (PID: 2728)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 3096)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)

    • Reads the machine GUID from the registry

      • tapinstall.exe (PID: 1808)
      • drvinst.exe (PID: 2728)
      • drvinst.exe (PID: 2260)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • BetternetSvc.exe (PID: 2244)
      • BetternetNtf.exe (PID: 2752)
      • msedgewebview2.exe (PID: 1336)

    • Reads Environment values

      • drvinst.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)
      • BetternetSvc.exe (PID: 2244)
      • msedgewebview2.exe (PID: 1336)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 3200)
      • MicrosoftEdgeUpdate.exe (PID: 1624)

    • Creates files in the program directory

      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 1548)
      • setup.exe (PID: 2528)
      • BetternetSvc.exe (PID: 2244)
      • Betternet VPN Premium Activation Tool.exe (PID: 2808)
      • msedgewebview2.exe (PID: 2884)
      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1796)

    • Process checks whether UAC notifications are on

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads mouse settings

      • Betternet VPN Premium Activation Tool.exe (PID: 2808)

    • Reads product name

      • BetternetSvc.exe (PID: 2244)

    • Process checks computer location settings

      • msedgewebview2.exe (PID: 1336)
      • msedgewebview2.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
59
Malicious processes
12
Suspicious processes
4

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe explorer.exe no specs winrar.exe betternet vpn premium v8.8.1.1322.exe no specs betternet vpn premium v8.8.1.1322.exe msiexec.exe vssvc.exe no specs ns69b0.tmp no specs tapinstall.exe no specs ns6a2e.tmp no specs tapinstall.exe drvinst.exe rundll32.exe no specs drvinst.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedge_x86_109.0.1518.140.exe setup.exe betternet vpn premium activation tool.exe no specs betternet vpn premium activation tool.exe microsoftedgeupdate.exe cmd.exe no specs taskkill.exe no specs betternetsvc.exe betternetntf.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
712"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1316,i,11275711947859196319,4448916986936035848,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
764"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exeexplorer.exe
User:
admin
Company:
Pango Inc.
Integrity Level:
MEDIUM
Description:
Betternet for Windows
Exit code:
3221226540
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll
876"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Setup\Betternet VPN Premium v8.8.1.1322.exe
explorer.exe
User:
admin
Company:
Pango Inc.
Integrity Level:
HIGH
Description:
Betternet for Windows
Exit code:
0
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\setup\betternet vpn premium v8.8.1.1322.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1220"C:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exe" hwids bntapC:\Program Files\BetterNet TAP-Windows\bin\tapinstall.exens69B0.tmp
User:
SYSTEM
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
SYSTEM
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10011.16384
Modules
Images
c:\program files\betternet tap-windows\bin\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1232"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1276,i,12612468658325218317,846481000068525724,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1336"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-named-platform-channel-pipe=3584.3356.13953785763381325739C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1484"C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exe" C:\Users\admin\Downloads\Betternet VPN Premium v8.8.1.1322 Full Activated - WwW.Dr-FarFar.CoM\Crack\Betternet VPN Premium Activation Tool.exeexplorer.exe
User:
admin
Company:
Dr.FarFar | www.Dr-FarFar.com
Integrity Level:
MEDIUM
Description:
Betternet VPN Premium Activation Tool (ViP)
Exit code:
3221226540
Version:
8.8.1.1322
Modules
Images
c:\users\admin\downloads\betternet vpn premium v8.8.1.1322 full activated - www.dr-farfar.com\crack\betternet vpn premium activation tool.exe
c:\windows\system32\ntdll.dll
1548"C:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-levelC:\Program Files\Microsoft\EdgeUpdate\Install\{71F3BDEF-756D-4292-866F-CDFE9E495831}\MicrosoftEdge_X86_109.0.1518.140.exe
MicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgeupdate\install\{71f3bdef-756d-4292-866f-cdfe9e495831}\microsoftedge_x86_109.0.1518.140.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1572"C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\ProgramData\Betternet\user\stripe\EBWebView" --webview-exe-name=Betternet.exe --webview-exe-version=8.8.1.1322 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1196,i,6264612852101558029,4018079802908211096,131072 /prefetch:2C:\Program Files\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
109.0.1518.140
Modules
Images
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
97 387
Read events
92 975
Write events
4 132
Delete events
280

Modification events

(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31088748
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31088748
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
118
Suspicious files
158
Text files
245
Unknown types
116

Dropped files

PID
Process
Filename
Type
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9D576AF8E314F5668D07C8EE50B2B187
SHA256:AF320250E93947861E7E49866A201F9409FCB9907D105284140A13F39A5E64C5
3952iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4HPL13QO.txttext
MD5:01DD544C65BA4A6B77B6C72104DBE24A
SHA256:73A70E1F9912A74F3869F62E7D3D028B8D15E0D2F03262B4C004114BE9D6660C
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:22E5FC9D188A4294578FF8C519ADE71E
SHA256:D105897A01241C6F1BD559621235364126F5A36C6B9D92A49303FEA30EEA748B
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_77B1CCFAF3D0516ED1D1368847DAC1EDbinary
MD5:62EB7224F36A4CF25D12884CFDE47702
SHA256:714D9BC4BEEFEBC2CE5E131CA4CB5FA67B5F75FD0AE242406F271D12C0B15ABD
3952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\cmp.min[1].jstext
MD5:FBE92038AA9B8D58FC93CFE47E2987AF
SHA256:66F8ECD359CCF9D79AE9C4AD10312DE1A65DB446344B2667E54D604F25D3165B
3952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\js[1].jstext
MD5:9BE03EEC958095011F4987E8C5C07F72
SHA256:1FD40B6A1C080E69FDC0310DCDCF39457000ADA1D1863285B62186F53051ABEC
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_FC81B3040A3979C87E07C970CA7A4407binary
MD5:997707046DE9900C7691F9F51344BED3
SHA256:3E892293967BE858422C031FE09DC7CC12CE36D313D53E753021D9BE43D5C04D
3952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\tag[1].jstext
MD5:DB180DE4A0438C0E98324293546CD8F1
SHA256:A4621BE29415C3F24AB21FA8916275F47F71C8AA158455E1AD7EDE5AE7D019F2
3952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:934EE60BC22F8BABFF6E6138B14F9C4A
SHA256:D622E9B0A8B69A1CA493D8906399BD3F4BE70C738B2BD11DE6E37A10044B14B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
158
DNS requests
147
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
iexplore.exe
GET
304
95.101.54.105:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?14266dff8470122f
unknown
unknown
3952
iexplore.exe
GET
304
95.101.54.105:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c9f2b763ba05a2db
unknown
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCG5mYmc5exBwr3zurLpXnC
unknown
binary
472 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3952
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
iexplore.exe
104.16.113.74:443
static.mediafire.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3952
iexplore.exe
95.101.54.105:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3952
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3952
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3952
iexplore.exe
172.67.199.186:443
the.gatekeeperconsent.com
CLOUDFLARENET
US
unknown
3952
iexplore.exe
142.250.186.72:443
www.googletagmanager.com
GOOGLE
US
unknown
3952
iexplore.exe
172.67.41.60:443
btloader.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
www.mediafire.com
  • 216.239.36.178
  • 216.239.34.178
  • 216.239.38.178
  • 216.239.32.178
shared
ctldl.windowsupdate.com
  • 95.101.54.105
  • 95.101.54.113
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
the.gatekeeperconsent.com
  • 172.67.199.186
  • 104.21.42.32
unknown
www.googletagmanager.com
  • 142.250.186.72
whitelisted
btloader.com
  • 172.67.41.60
  • 104.22.74.216
  • 104.22.75.216
whitelisted
www.ezojs.com
  • 172.64.96.6
  • 172.64.97.6
unknown
translate.google.com
  • 142.250.185.78
whitelisted
static.cloudflareinsights.com
  • 104.16.56.101
  • 104.16.57.101
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1080
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
856
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\ProgramData\Betternet\user directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/9sihbq7so7lwja8/Betternet_VPN_Premium_v8.8.1.1322_Full_Activated_-_WwW.Dr-FarFar.CoM.zip/file