File name:

BetternetForWindows-RSLOAD.NET-.exe

Full analysis: https://app.any.run/tasks/6390eae2-705f-4ceb-9a09-ccfc32937552
Verdict: Malicious activity
Analysis date: June 21, 2025, 12:00:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

A11F0B5B29F5BE05D06AC7FC0DD69029

SHA1:

D6C3DE5B25701F36A57686D4EAFED1D4C0FD5197

SHA256:

BE08974162AC65BF5F8B36B623F3C4D26B8ADD8ECFA537F4298A34EDE986358F

SSDEEP:

24576:8pyhU07dTZra8vvcT8LfGBi3x33h/1p99:8shU0ZTZra8vvcT8Lf+i3x33h/1pn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • Betternet.WebInstaller.exe (PID: 1296)

    • Changes the autorun value in the registry

      • Betternet.exe (PID: 6656)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • D6575FD7.exe (PID: 4832)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)

    • The process creates files with name similar to system file names

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • D6575FD7.exe (PID: 4832)
      • msiexec.exe (PID: 3148)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)

    • Executable content was dropped or overwritten

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • Betternet.WebInstaller.exe (PID: 1296)
      • D6575FD7.exe (PID: 4832)
      • rundll32.exe (PID: 3160)
      • rundll32.exe (PID: 6360)
      • rundll32.exe (PID: 2728)
      • rundll32.exe (PID: 3668)
      • rundll32.exe (PID: 1160)
      • rundll32.exe (PID: 5080)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • drvinst.exe (PID: 6320)
      • rundll32.exe (PID: 6256)
      • drvinst.exe (PID: 2972)
      • rundll32.exe (PID: 3980)
      • rundll32.exe (PID: 3092)
      • rundll32.exe (PID: 2296)
      • rundll32.exe (PID: 5552)
      • WebView2Bootstrapper.exe (PID: 3108)
      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 5620)
      • BetternetSvc.exe (PID: 2972)
      • hydra.exe (PID: 6980)
      • drvinst.exe (PID: 5456)

    • Executes as Windows Service

      • PresentationFontCache.exe (PID: 3756)
      • VSSVC.exe (PID: 6292)
      • BetternetSvc.exe (PID: 2972)

    • Reads security settings of Internet Explorer

      • Betternet.WebInstaller.exe (PID: 1296)
      • msiexec.exe (PID: 6148)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)
      • Betternet.exe (PID: 4764)
      • Betternet.exe (PID: 7100)
      • Betternet.exe (PID: 6704)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • There is functionality for taking screenshot (YARA)

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • D6575FD7.exe (PID: 4832)

    • Reads the date of Windows installation

      • Betternet.WebInstaller.exe (PID: 1296)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • WebView2Bootstrapper.exe (PID: 3108)
      • MicrosoftEdgeUpdate.exe (PID: 7152)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3148)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 1852)
      • cmd.exe (PID: 5444)
      • msiexec.exe (PID: 4684)
      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 4216)

    • Uses ICACLS.EXE to modify access control lists

      • msiexec.exe (PID: 1852)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 1160)
      • msiexec.exe (PID: 3148)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • drvinst.exe (PID: 6320)
      • drvinst.exe (PID: 2972)
      • hydra.exe (PID: 6980)
      • drvinst.exe (PID: 5456)

    • Creates files in the driver directory

      • tapinstall.exe (PID: 2188)
      • drvinst.exe (PID: 6320)
      • drvinst.exe (PID: 2972)
      • drvinst.exe (PID: 5456)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 2972)
      • drvinst.exe (PID: 5012)

    • Creates a software uninstall entry

      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • rundll32.exe (PID: 5080)
      • rundll32.exe (PID: 5620)

    • Searches for installed software

      • rundll32.exe (PID: 5080)
      • rundll32.exe (PID: 5620)

    • Suspicious use of NETSH.EXE

      • rundll32.exe (PID: 3980)
      • rundll32.exe (PID: 3092)
      • hydra.exe (PID: 6980)

    • Application launched itself

      • cmd.exe (PID: 5444)
      • cmd.exe (PID: 4216)
      • cmd.exe (PID: 4880)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5444)
      • cmd.exe (PID: 4216)
      • cmd.exe (PID: 4880)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 7152)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1964)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 7152)

    • The process verifies whether the antivirus software is installed

      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Detected use of reserved device names

      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Modifies hosts file to alter network resolution

      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Adds/modifies Windows certificates

      • MinerSearch_v1.4.7.92.exe (PID: 8060)

  • INFO

    • The sample compiled with english language support

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • Betternet.WebInstaller.exe (PID: 1296)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • rundll32.exe (PID: 1160)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • drvinst.exe (PID: 6320)
      • drvinst.exe (PID: 2972)
      • WebView2Bootstrapper.exe (PID: 3108)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • rundll32.exe (PID: 5552)
      • hydra.exe (PID: 6980)
      • drvinst.exe (PID: 5456)

    • Create files in a temporary directory

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • Betternet.WebInstaller.exe (PID: 1296)
      • D6575FD7.exe (PID: 4832)
      • msiexec.exe (PID: 6492)
      • msiexec.exe (PID: 6148)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Reads the computer name

      • Betternet.WebInstaller.exe (PID: 1296)
      • PresentationFontCache.exe (PID: 3756)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • msiexec.exe (PID: 1852)
      • msiexec.exe (PID: 4684)
      • nfregdrv.exe (PID: 7000)
      • tapinstall.exe (PID: 2188)
      • drvinst.exe (PID: 6320)
      • drvinst.exe (PID: 2972)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)
      • Betternet.exe (PID: 4764)
      • BetternetNtf.exe (PID: 4968)
      • Betternet.exe (PID: 7100)
      • Betternet.exe (PID: 6704)
      • drvinst.exe (PID: 5456)
      • drvinst.exe (PID: 5012)
      • hydra.exe (PID: 6980)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Checks supported languages

      • BetternetForWindows-RSLOAD.NET-.exe (PID: 1496)
      • Betternet.WebInstaller.exe (PID: 1296)
      • PresentationFontCache.exe (PID: 3756)
      • D6575FD7.exe (PID: 4832)
      • msiexec.exe (PID: 3148)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 4684)
      • msiexec.exe (PID: 1852)
      • nfregdrv.exe (PID: 7000)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • tapinstall.exe (PID: 6684)
      • tapinstall.exe (PID: 2188)
      • drvinst.exe (PID: 6320)
      • drvinst.exe (PID: 2972)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • WebView2Bootstrapper.exe (PID: 3108)
      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)
      • Betternet.exe (PID: 4764)
      • BetternetNtf.exe (PID: 4968)
      • Betternet.exe (PID: 7100)
      • Betternet.exe (PID: 6704)
      • drvinst.exe (PID: 5456)
      • drvinst.exe (PID: 5012)
      • hydra.exe (PID: 6980)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Reads Environment values

      • Betternet.WebInstaller.exe (PID: 1296)
      • Betternet.exe (PID: 6656)
      • Betternet.exe (PID: 4764)
      • BetternetSvc.exe (PID: 2972)
      • Betternet.exe (PID: 7100)
      • Betternet.exe (PID: 6704)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Reads the machine GUID from the registry

      • Betternet.WebInstaller.exe (PID: 1296)
      • PresentationFontCache.exe (PID: 3756)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • tapinstall.exe (PID: 2188)
      • drvinst.exe (PID: 6320)
      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)
      • Betternet.exe (PID: 4764)
      • Betternet.exe (PID: 6704)
      • Betternet.exe (PID: 7100)
      • drvinst.exe (PID: 5456)
      • hydra.exe (PID: 6980)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Disables trace logs

      • Betternet.WebInstaller.exe (PID: 1296)
      • msiexec.exe (PID: 6148)
      • netsh.exe (PID: 4192)
      • netsh.exe (PID: 5720)
      • netsh.exe (PID: 6876)
      • rundll32.exe (PID: 5552)
      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)
      • netsh.exe (PID: 1580)
      • netsh.exe (PID: 1760)

    • Checks proxy server information

      • Betternet.WebInstaller.exe (PID: 1296)
      • msiexec.exe (PID: 6148)
      • Betternet.exe (PID: 6656)
      • slui.exe (PID: 6472)
      • slui.exe (PID: 7484)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • Reads the software policy settings

      • Betternet.WebInstaller.exe (PID: 1296)
      • msiexec.exe (PID: 6492)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • tapinstall.exe (PID: 2188)
      • drvinst.exe (PID: 6320)
      • MicrosoftEdgeUpdate.exe (PID: 7152)
      • rundll32.exe (PID: 5552)
      • Betternet.exe (PID: 6656)
      • wermgr.exe (PID: 7048)
      • slui.exe (PID: 6472)
      • BetternetSvc.exe (PID: 2972)
      • drvinst.exe (PID: 5456)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)
      • slui.exe (PID: 7484)

    • Creates files or folders in the user directory

      • Betternet.WebInstaller.exe (PID: 1296)
      • rundll32.exe (PID: 5552)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)

    • .NET Reactor protector has been detected

      • Betternet.WebInstaller.exe (PID: 1296)
      • Betternet.exe (PID: 6656)

    • Process checks computer location settings

      • Betternet.WebInstaller.exe (PID: 1296)
      • MicrosoftEdgeUpdate.exe (PID: 7152)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6492)
      • msiexec.exe (PID: 6148)
      • msiexec.exe (PID: 3148)
      • WinRAR.exe (PID: 7804)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6492)
      • rundll32.exe (PID: 5552)

    • Manages system restore points

      • SrTasks.exe (PID: 2348)

    • Creates files in the program directory

      • rundll32.exe (PID: 5080)
      • bntap-windows-9.24.4-I601-Win10.exe (PID: 4968)
      • WebView2Bootstrapper.exe (PID: 3108)
      • rundll32.exe (PID: 2324)
      • Betternet.exe (PID: 6656)
      • Betternet.exe (PID: 4764)
      • BetternetSvc.exe (PID: 2972)
      • hydra.exe (PID: 6980)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3148)

    • Creates files in the driver directory

      • rundll32.exe (PID: 1160)

    • Reads product name

      • Betternet.exe (PID: 6656)
      • BetternetSvc.exe (PID: 2972)

    • Manual execution by a user

      • Betternet.exe (PID: 4764)
      • Betternet.exe (PID: 7100)
      • Betternet.exe (PID: 6704)
      • chrome.exe (PID: 360)
      • MinerSearch_v1.4.7.92.exe (PID: 8012)
      • MinerSearch_v1.4.7.92.exe (PID: 8060)
      • WinRAR.exe (PID: 3860)

    • Launching a file from a Registry key

      • Betternet.exe (PID: 6656)

    • Application launched itself

      • chrome.exe (PID: 360)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 360)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 02:44:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x35d8
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.10.2.834
ProductVersionNumber: 6.10.2.834
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Aura
FileDescription: Betternet for Windows
FileVersion: 6.10.2.834
InternalName: Betternet.WebInstaller.exe
LegalCopyright: Copyright © 2020 Betternet Technologies Inc., All Rights Reserved
OriginalFileName: Betternet.WebInstaller.exe
ProductName: Betternet for Windows
ProductVersion: 6.10.2.834
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
266
Monitored processes
105
Malicious processes
12
Suspicious processes
8

Behavior graph

Click at the process to see the details
start betternetforwindows-rsload.net-.exe betternet.webinstaller.exe presentationfontcache.exe no specs d6575fd7.exe no specs d6575fd7.exe msiexec.exe msiexec.exe msiexec.exe vssvc.exe no specs slui.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe cmd.exe no specs conhost.exe no specs rundll32.exe rundll32.exe nfregdrv.exe no specs rundll32.exe bntap-windows-9.24.4-i601-win10.exe tapinstall.exe no specs conhost.exe no specs tapinstall.exe no specs conhost.exe no specs drvinst.exe drvinst.exe rundll32.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs rundll32.exe netsh.exe no specs conhost.exe no specs rundll32.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs rundll32.exe sc.exe no specs conhost.exe no specs rundll32.exe webview2bootstrapper.exe microsoftedgeupdate.exe wermgr.exe rundll32.exe rundll32.exe betternet.exe betternetsvc.exe betternet.exe no specs betternetntf.exe no specs betternet.exe no specs betternet.exe no specs hydra.exe conhost.exe no specs drvinst.exe drvinst.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe minersearch_v1.4.7.92.exe no specs minersearch_v1.4.7.92.exe conhost.exe no specs winrar.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
360"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
472"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,4280738894496557298,16709261147219706163,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3180 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160rundll32.exe "C:\WINDOWS\Installer\MSI4A30.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1591875 79 Foundation.Installer.CustomActions!Foundation.Installer.CustomActions.NetFilter.NetFilterCustomActions.InstallNetFilterDriverC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=1780,i,4280738894496557298,16709261147219706163,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4588 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1296"C:\Users\admin\AppData\Local\Temp\nsi5778.tmp\Betternet.WebInstaller.exe" C:\Users\admin\AppData\Local\Temp\nsi5778.tmp\Betternet.WebInstaller.exe
BetternetForWindows-RSLOAD.NET-.exe
User:
admin
Company:
Betternet Technologies Inc.
Integrity Level:
MEDIUM
Description:
Betternet.WebInstaller
Exit code:
0
Version:
6.10.2.834
Modules
Images
c:\users\admin\appdata\local\temp\nsi5778.tmp\betternet.webinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1496"C:\Users\admin\AppData\Local\Temp\BetternetForWindows-RSLOAD.NET-.exe" C:\Users\admin\AppData\Local\Temp\BetternetForWindows-RSLOAD.NET-.exe
explorer.exe
User:
admin
Company:
Aura
Integrity Level:
MEDIUM
Description:
Betternet for Windows
Exit code:
0
Version:
6.10.2.834
Modules
Images
c:\users\admin\appdata\local\temp\betternetforwindows-rsload.net-.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1568"C:\WINDOWS\SysWOW64\REG.exe" ADD "HKLM\Software\Betternet" /v channel /d 1C:\Windows\SysWOW64\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1580"C:\WINDOWS\system32\netsh.exe" interface ip set address "Betternet WinTun" static 100.127.255.253 255.255.255.252 100.127.255.254C:\Windows\System32\netsh.exehydra.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1644"C:\WINDOWS\SysWOW64\REG.exe" ADD "HKLM\Software\Betternet" /v hash_v /d 4 /t REG_DWORDC:\Windows\SysWOW64\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
486 743
Read events
485 859
Write events
842
Delete events
42

Modification events

(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1296) Betternet.WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Betternet_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
675
Suspicious files
396
Text files
100
Unknown types
0

Dropped files

PID
Process
Filename
Type
1496BetternetForWindows-RSLOAD.NET-.exeC:\Users\admin\AppData\Local\Temp\nsi5778.tmp\Vpn.WebInstaller.Common.dllexecutable
MD5:2C689A649BC2F6AF438DCACC5A293157
SHA256:6D2B1F0899D8E9BE28E5C63272C0BBADC511772EDB17A276F9037444002952CC
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\Local\Temp\Tmp664C.tmptext
MD5:BC814B85FD324ED82A1F6A5489E1FFC9
SHA256:04493B0C31B139F4373EFAEC4416E955CD991AAD901738D5EB17716616899E96
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950ABbinary
MD5:2AB172E9398A3F429D22A89DB10F024D
SHA256:4DFCA5F2F4907EFD537D7DB7D4A8B5D57A14B551EE62A0F4F3EF6B795C438262
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_49FD4FCFF10EE4784877A87BCD7030B1binary
MD5:C0774E4A10D986C78DDE8F6A45257EE6
SHA256:19DC3BD77F7B772DCB1B042903373A54B78EB8A3C86785245F92D3DF43ABBBD7
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835binary
MD5:64438EA4EBA19A095B18388BCB01DBE5
SHA256:0937BE39F169FA42E4EB51D338A0C89A203E8729838F752DAFAA4C0CB27CB719
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4binary
MD5:70832C80C2593413EBE4B20CE7FAB944
SHA256:28D2ABC2F17A1FC0EF6661B9BF4D834B735F476BDBD18181BD0AB87332AC1EE2
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_49FD4FCFF10EE4784877A87BCD7030B1binary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4binary
MD5:DB7C35C53109A16043244BB66EFC0B5F
SHA256:A04F4CB948A4033E4D0B25DFFDAFAFAEA04AC7A4173BC660B94FAE8AB908DE4B
1496BetternetForWindows-RSLOAD.NET-.exeC:\Users\admin\AppData\Local\Temp\nsi5778.tmp\System.dllexecutable
MD5:564BB0373067E1785CBA7E4C24AAB4BF
SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
1296Betternet.WebInstaller.exeC:\Users\admin\AppData\Local\Temp\Tmp5AE1.tmptext
MD5:BC814B85FD324ED82A1F6A5489E1FFC9
SHA256:04493B0C31B139F4373EFAEC4416E955CD991AAD901738D5EB17716616899E96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
118
DNS requests
82
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1296
Betternet.WebInstaller.exe
GET
200
2.23.79.3:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
unknown
whitelisted
1296
Betternet.WebInstaller.exe
GET
200
2.23.79.3:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
unknown
whitelisted
1296
Betternet.WebInstaller.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAqhJdbWMht%2BQeQF2jaXwhU%3D
unknown
whitelisted
5848
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1296
Betternet.WebInstaller.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT5hgD4pKvs0jFFLEKNQ1CjblLIPQQU9LbhIB3%2BKa7S5GGlsqIlssgXNW4CEA1CSuC%2BOoj%2FYEAhzhQA8N0%3D
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1800
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1296
Betternet.WebInstaller.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1800
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6356
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1296
Betternet.WebInstaller.exe
18.172.111.173:443
d21j7etzkdo9k9.cloudfront.net
US
whitelisted
1296
Betternet.WebInstaller.exe
2.23.79.3:80
s2.symcb.com
AKAMAI-AS
DE
whitelisted
1296
Betternet.WebInstaller.exe
2.17.189.192:80
s1.symcb.com
AKAMAI-AS
DE
whitelisted
1296
Betternet.WebInstaller.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1296
Betternet.WebInstaller.exe
52.217.129.128:443
s3.amazonaws.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
d21j7etzkdo9k9.cloudfront.net
  • 18.172.111.173
  • 18.172.111.121
  • 18.172.111.95
  • 18.172.111.229
whitelisted
s2.symcb.com
  • 2.23.79.3
whitelisted
s1.symcb.com
  • 2.17.189.192
whitelisted
sv.symcd.com
  • 2.23.79.3
whitelisted
sv.symcb.com
  • 2.23.79.3
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
s3.amazonaws.com
  • 52.217.129.128
  • 52.216.92.109
  • 54.231.140.96
  • 52.217.98.46
  • 52.217.227.72
  • 52.216.207.13
  • 16.15.178.225
  • 16.15.178.74
  • 16.182.66.136
  • 52.217.116.136
  • 52.217.232.240
  • 16.182.103.0
  • 54.231.131.160
  • 52.217.87.30
  • 16.15.177.170
  • 52.216.41.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.76
  • 20.190.160.66
  • 40.126.32.133
  • 20.190.160.128
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.14
  • 40.126.32.140
  • 20.190.160.5
  • 20.190.160.17
  • 20.190.160.131
  • 20.190.160.64
whitelisted

Threats

No threats detected
Process
Message
Betternet.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
hydra.exe
HYDRA_STATE
hydra.exe
HYDRA_STATE_CONNECTING
hydra.exe
HYDRA_STATE_CONNECTED
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BetternetForWindows-RSLOAD.NET-.exe