Malware analysis [PiratePC.Net] Betternet VPN Premium 5.0.5 With Full _.zip Malicious activity

Add for printing

File name:	[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full _.zip
Full analysis:	https://app.any.run/tasks/cd9edb9d-eec1-44e3-861f-206abe3e6262
Verdict:	Malicious activity
Analysis date:	September 20, 2019, 08:55:35
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	ABBFC2F415EA50480BBC7BCB0E9720F4
SHA1:	E40B9657D9C4194609D2AF450A1D7A8029BBFF02
SHA256:	48CF1DFF677DD48EB2BAFBCC85061C77B0B454F8E463C891E1F513C808509DAA
SSDEEP:	196608:YvnRdjGNRMwFMirZYbyvRTrkwSAfKeYKW2p1vf1wk8PMMW2bLLsBZWT:EnzaHMwFMFy32KT1n1wtPnDLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes settings of System certificates
  - msiexec.exe (PID: 3276)
  - MsiExec.exe (PID: 3424)
  - tapinstall.exe (PID: 2644)
  - BetternetUpdater.exe (PID: 940)
- Loads dropped or rewritten executable
  - Betternet VPN Premium 5.0.5 Setup.exe (PID: 2236)
  - tap-windows-9.21.2.exe (PID: 2788)
  - rundll32.exe (PID: 2748)
  - Betternet.exe (PID: 3956)
  - BetternetUpdater.exe (PID: 940)
  - Betternet.exe (PID: 3784)
  - BetternetUpdater.exe (PID: 848)
  - hydra.exe (PID: 2416)
- Application was dropped or rewritten from another process
  - tap-windows-9.21.2.exe (PID: 2788)
  - ns4642.tmp (PID: 2084)
  - tapinstall.exe (PID: 4084)
  - ns4B15.tmp (PID: 3872)
  - tapinstall.exe (PID: 2644)
  - Betternet.exe (PID: 3956)
  - BetternetUpdater.exe (PID: 940)
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2368)
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2380)
  - Betternet.exe (PID: 3992)
  - Betternet.exe (PID: 3784)
  - BetternetUpdater.exe (PID: 848)
  - hydra.exe (PID: 2416)
SUSPICIOUS
- Executed as Windows Service
  - vssvc.exe (PID: 2212)
- Executable content was dropped or overwritten
  - Betternet VPN Premium 5.0.5 Setup.exe (PID: 2236)
  - msiexec.exe (PID: 2916)
  - tap-windows-9.21.2.exe (PID: 2788)
  - tapinstall.exe (PID: 2644)
  - DrvInst.exe (PID: 2520)
  - DllHost.exe (PID: 3544)
  - rundll32.exe (PID: 2748)
  - msiexec.exe (PID: 3276)
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2380)
- Starts Microsoft Installer
  - Betternet VPN Premium 5.0.5 Setup.exe (PID: 2236)
- Executed via COM
  - DrvInst.exe (PID: 3324)
  - DrvInst.exe (PID: 3392)
  - DrvInst.exe (PID: 2520)
  - DllHost.exe (PID: 3544)
- Adds / modifies Windows certificates
  - msiexec.exe (PID: 3276)
  - BetternetUpdater.exe (PID: 940)
- Starts application with an unusual extension
  - tap-windows-9.21.2.exe (PID: 2788)
- Creates files in the program directory
  - tap-windows-9.21.2.exe (PID: 2788)
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
  - hydra.exe (PID: 2416)
- Modifies the open verb of a shell class
  - msiexec.exe (PID: 2916)
- Removes files from Windows directory
  - DrvInst.exe (PID: 3392)
  - DrvInst.exe (PID: 2520)
- Creates files in the Windows directory
  - DrvInst.exe (PID: 3392)
  - DrvInst.exe (PID: 2520)
- Creates files in the driver directory
  - DrvInst.exe (PID: 3392)
  - DrvInst.exe (PID: 2520)
- Creates a software uninstall entry
  - tap-windows-9.21.2.exe (PID: 2788)
- Uses RUNDLL32.EXE to load library
  - MsiExec.exe (PID: 3424)
- Reads Internet Cache Settings
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
- Reads Environment values
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
- Reads the machine GUID from the registry
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
- Checks for external IP
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
- Starts Internet Explorer
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2380)
INFO
- Manual execution by user
  - Betternet VPN Premium 5.0.5 Setup.exe (PID: 3400)
  - Betternet VPN Premium 5.0.5 Setup.exe (PID: 2236)
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2368)
  - Betternet VPN Premium Crack - [PiratePC.Net].exe (PID: 2380)
  - Betternet.exe (PID: 3992)
  - Betternet.exe (PID: 3784)
- Searches for installed software
  - msiexec.exe (PID: 2916)
- Dropped object may contain Bitcoin addresses
  - msiexec.exe (PID: 2916)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2212)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2916)
- Application launched itself
  - msiexec.exe (PID: 2916)
  - iexplore.exe (PID: 2744)
  - iexplore.exe (PID: 2804)
- Creates files in the program directory
  - msiexec.exe (PID: 2916)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 3100)
  - MsiExec.exe (PID: 2324)
  - MsiExec.exe (PID: 3424)
- Reads settings of System Certificates
  - Betternet.exe (PID: 3956)
  - Betternet.exe (PID: 3784)
- Changes internet zones settings
  - iexplore.exe (PID: 2744)
  - iexplore.exe (PID: 2804)
- Reads internet explorer settings
  - iexplore.exe (PID: 3388)
- Creates files in the user directory
  - iexplore.exe (PID: 3388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2019:02:16 16:59:25
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

848

"C:\Program Files\Betternet\5.0.5\BetternetUpdater.exe"

C:\Program Files\Betternet\5.0.5\BetternetUpdater.exe

Betternet.exe

User:

admin

Company:

Betternet Technologies Inc.

Integrity Level:

HIGH

Description:

Betternet Updater

Exit code:

Version:

5.0.5

Modules

Images
c:\program files\betternet\5.0.5\betternetupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

940

"C:\Program Files\Betternet\5.0.5\BetternetUpdater.exe"

C:\Program Files\Betternet\5.0.5\BetternetUpdater.exe

Betternet.exe

User:

admin

Company:

Betternet Technologies Inc.

Integrity Level:

HIGH

Description:

Betternet Updater

Exit code:

Version:

5.0.5

Modules

Images
c:\program files\betternet\5.0.5\betternetupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2084

"C:\Users\admin\AppData\Local\Temp\nsq444D.tmp\ns4642.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901

C:\Users\admin\AppData\Local\Temp\nsq444D.tmp\ns4642.tmp

tap-windows-9.21.2.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\nsq444d.tmp\ns4642.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2168

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2744 CREDAT:79873

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

2212

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2236

"C:\Users\admin\Desktop\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Setup\Betternet VPN Premium 5.0.5 Setup.exe"

C:\Users\admin\Desktop\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Setup\Betternet VPN Premium 5.0.5 Setup.exe

explorer.exe

User:

admin

Company:

Betternet Technologies Inc.

Integrity Level:

HIGH

Description:

Betternet for Windows

Exit code:

Version:

5.0.5

Modules

Images
c:\users\admin\desktop\[piratepc.net] betternet vpn premium 5.0.5 with full crack\setup\betternet vpn premium 5.0.5 setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

2324

C:\Windows\system32\MsiExec.exe -Embedding 55A7271785A546BA04A4E5DFDC29FBA4 C

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2368

"C:\Program Files\Betternet\5.0.5\Betternet VPN Premium Crack - [PiratePC.Net].exe"

C:\Program Files\Betternet\5.0.5\Betternet VPN Premium Crack - [PiratePC.Net].exe

—

explorer.exe

User:

admin

Company:

PiratePC.Net

Integrity Level:

MEDIUM

Description:

Betternet VPN Premium Crack - [PiratePC.Net]

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\program files\betternet\5.0.5\betternet vpn premium crack - [piratepc.net].exe
c:\systemroot\system32\ntdll.dll

2380

"C:\Program Files\Betternet\5.0.5\Betternet VPN Premium Crack - [PiratePC.Net].exe"

C:\Program Files\Betternet\5.0.5\Betternet VPN Premium Crack - [PiratePC.Net].exe

explorer.exe

User:

admin

Company:

PiratePC.Net

Integrity Level:

HIGH

Description:

Betternet VPN Premium Crack - [PiratePC.Net]

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\betternet\5.0.5\betternet vpn premium crack - [piratepc.net].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2416

"C:\Program Files\Betternet\5.0.5\x86\hydra.exe" --rdy 1E6330AFADB38493

C:\Program Files\Betternet\5.0.5\x86\hydra.exe

Betternet.exe

User:

admin

Company:

VPN Foundation

Integrity Level:

HIGH

Description:

VPN Foundation SDK

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\betternet\5.0.5\x86\hydra.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\betternet\5.0.5\x86\afvpn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

3 019

Read events

2 080

Write events

879

Delete events

Modification events


(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full _.zip
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3776) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3276) msiexec.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3276) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:	write	Name:	Blob
Value: 040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0280F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F2000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F

Add for printing

Executable files

Suspicious files

Text files

206

Unknown types

Dropped files

PID	Process	Filename		Type
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Crack\Betternet VPN Premium Crack - [PiratePC.Net].exe		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Follow Us\Follow Us on Google Plus.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Follow Us\Follow Us on Pinterest.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Follow Us\Like Us on Facebook !.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Follow Us\PiratePC.Net - Cracked PC Softwares.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Follow Us\Subscribe Us On YouTube !.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Instructions.txt		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\PiratePC.Net - Cracked PC Softwares.url		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Setup\Betternet VPN Premium 5.0.5 Setup.exe		—
		MD5:—	SHA256:—
3776	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.26474\[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full Crack\Setup\PiratePC.Net - Cracked PC Softwares.url		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3388	iexplore.exe	GET	301	89.248.168.177:80	http://piratepc.net/	SC	—	—	whitelisted
2168	iexplore.exe	GET	—	89.248.168.177:80	http://piratepc.net/	SC	—	—	whitelisted
3956	Betternet.exe	GET	200	185.194.141.58:80	http://ip-api.com/json	DE	text	286 b	malicious
3784	Betternet.exe	GET	200	185.194.141.58:80	http://ip-api.com/json	DE	text	286 b	malicious
2744	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted
3956	Betternet.exe	POST	200	216.58.207.78:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted
3784	Betternet.exe	POST	200	216.58.207.78:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted
3784	Betternet.exe	POST	200	216.58.207.78:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted
3956	Betternet.exe	POST	200	216.58.207.78:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted
3784	Betternet.exe	POST	200	216.58.207.78:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3956	Betternet.exe	185.194.141.58:80	ip-api.com	netcup GmbH	DE	unknown
3956	Betternet.exe	143.204.98.65:443	d2xl5j5majlxvm.cloudfront.net	—	US	suspicious
3956	Betternet.exe	216.58.207.78:80	www.google-analytics.com	Google Inc.	US	whitelisted
3956	Betternet.exe	107.178.254.148:443	control.kochava.com	Google Inc.	US	whitelisted
3956	Betternet.exe	13.225.84.46:443	d1o29kof4patkc.cloudfront.net	—	US	malicious
2744	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
940	BetternetUpdater.exe	52.219.24.9:443	s3-us-west-1.amazonaws.com	Amazon.com, Inc.	US	unknown
3388	iexplore.exe	89.248.168.177:80	piratepc.net	Quasi Networks LTD.	SC	suspicious
2168	iexplore.exe	89.248.168.177:80	piratepc.net	Quasi Networks LTD.	SC	suspicious
—	—	89.248.168.177:443	piratepc.net	Quasi Networks LTD.	SC	suspicious

DNS requests

Domain	IP	Reputation
ip-api.com	185.194.141.58	malicious
www.google-analytics.com	216.58.207.78	whitelisted
d2xl5j5majlxvm.cloudfront.net	143.204.98.65 143.204.98.8 143.204.98.77 143.204.98.174	whitelisted
control.kochava.com	107.178.254.148	unknown
d1o29kof4patkc.cloudfront.net	13.224.197.21 13.224.197.31 13.224.197.203 13.224.197.24 13.225.84.46 13.225.84.195 13.225.84.78 13.225.84.142	shared
s3-us-west-1.amazonaws.com	52.219.24.9 52.219.112.88	shared
piratepc.net	89.248.168.177	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
d3sdizpx54za7n.cloudfront.net	143.204.98.69 143.204.98.147 143.204.98.73 143.204.98.193	shared

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
—	—	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
—	—	Misc Attack	ET DROP Dshield Block Listed Source group 1
—	—	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
—	—	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)

Add for printing

Process	Message
hydra.exe	HYDRA_STATE_CONNECTING
hydra.exe	HYDRA_STATE_CONNECTED

General Info

[PiratePC.Net] Betternet VPN Premium 5.0.5 With Full _.zip

ABBFC2F415EA50480BBC7BCB0E9720F4

E40B9657D9C4194609D2AF450A1D7A8029BBFF02

48CF1DFF677DD48EB2BAFBCC85061C77B0B454F8E463C891E1F513C808509DAA

196608:YvnRdjGNRMwFMirZYbyvRTrkwSAfKeYKW2p1vf1wk8PMMW2bLLsBZWT:EnzaHMwFMFy32KT1n1wtPnDLN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executed as Windows Service

Executable content was dropped or overwritten

Starts Microsoft Installer

Executed via COM

Adds / modifies Windows certificates

Starts application with an unusual extension

Creates files in the program directory

Modifies the open verb of a shell class

Removes files from Windows directory

Creates files in the Windows directory

Creates files in the driver directory

Creates a software uninstall entry

Uses RUNDLL32.EXE to load library

Reads Internet Cache Settings

Reads Environment values

Reads the machine GUID from the registry

Checks for external IP

Starts Internet Explorer

INFO

Manual execution by user

Searches for installed software

Dropped object may contain Bitcoin addresses

Low-level read access rights to disk partition

Creates a software uninstall entry

Application launched itself

Creates files in the program directory

Loads dropped or rewritten executable

Reads settings of System Certificates

Changes internet zones settings

Reads internet explorer settings

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity