File name:

bitdefender_tsecurity.exe

Full analysis: https://app.any.run/tasks/9c54bbbe-1587-4b09-bf4b-d67eb7a60fe9
Verdict: Malicious activity
Analysis date: July 28, 2024, 13:28:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A58F6330A8315046294738AC3F0C7C7

SHA1:

4CCD5EE1637451E5A873C77F9B95BB2282268240

SHA256:

63418D452BCFD776216608E2393FAC9CDBD63E453C8DED40DF7A59EB93AEA52F

SSDEEP:

98304:/M5VIMaLpm1tSwYiIqIFH++TmoJ5udgly+/CXxXLHGXOfK0hnZVgoV7DDyF7vvcZ:2WWd85Jt9d4ADZCkJdDgFImmlAIMWM9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • bitdefender_tsecurity.exe (PID: 4376)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DiscoverySrv.exe (PID: 5496)
      • DiscoverySrv.exe (PID: 3276)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • bitdefender_tsecurity.exe (PID: 1712)
      • bddeploy.exe (PID: 1176)
      • agent_launcher.exe (PID: 5624)
      • installer.exe (PID: 7132)
      • ShellExperienceHost.exe (PID: 2348)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • WatchDog.exe (PID: 3780)

    • Reads the date of Windows installation

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)

    • Executable content was dropped or overwritten

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • bitdefender_tsecurity.exe (PID: 4376)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)

    • Checks Windows Trust Settings

      • agent_launcher.exe (PID: 5624)
      • installer.exe (PID: 7132)
      • bddeploy.exe (PID: 1176)
      • DiscoverySrv.exe (PID: 5496)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentUI.exe (PID: 3112)
      • bddeploy.exe (PID: 5716)
      • agent_launcher.exe (PID: 7024)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentUI.exe (PID: 6932)
      • ProductAgentService.exe (PID: 5268)

    • Creates a software uninstall entry

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 1752)

    • Adds/modifies Windows certificates

      • bddeploy.exe (PID: 1176)

    • The process verifies whether the antivirus software is installed

      • ProductAgentService.exe (PID: 6352)
      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 4016)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 3796)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 5496)
      • regsvr32.exe (PID: 5832)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • ProductAgentService.exe (PID: 2136)
      • ProductAgentService.exe (PID: 3788)
      • ProductAgentService.exe (PID: 5268)
      • installer.exe (PID: 1924)
      • regsvr32.exe (PID: 4852)
      • ProductAgentUI.exe (PID: 3856)
      • WatchDog.exe (PID: 3780)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentUI.exe (PID: 6932)

    • Executes as Windows Service

      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 5832)
      • regsvr32.exe (PID: 4852)

    • Application launched itself

      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • Starts itself from another location

      • ProductAgentService.exe (PID: 1752)

  • INFO

    • Reads the machine GUID from the registry

      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 5496)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentUI.exe (PID: 3112)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentUI.exe (PID: 6932)

    • Checks supported languages

      • agent_launcher.exe (PID: 5624)
      • bitdefender_tsecurity.exe (PID: 1712)
      • bddeploy.exe (PID: 1176)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6352)
      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 3796)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 4636)
      • DiscoverySrv.exe (PID: 5496)
      • ProductAgentService.exe (PID: 4016)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • bitdefender_tsecurity.exe (PID: 4376)
      • ShellExperienceHost.exe (PID: 2348)
      • agent_launcher.exe (PID: 7024)
      • setuppackage.exe (PID: 5660)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentUI.exe (PID: 3856)
      • ProductAgentService.exe (PID: 2136)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentUI.exe (PID: 6932)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentService.exe (PID: 3788)

    • Reads the software policy settings

      • slui.exe (PID: 7072)
      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • DiscoverySrv.exe (PID: 5496)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentUI.exe (PID: 3112)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • ProductAgentUI.exe (PID: 3856)
      • installer.exe (PID: 1924)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 5268)
      • ProductAgentUI.exe (PID: 6932)

    • Checks proxy server information

      • slui.exe (PID: 7072)

    • Create files in a temporary directory

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • bddeploy.exe (PID: 1176)
      • bitdefender_tsecurity.exe (PID: 4376)
      • bddeploy.exe (PID: 5716)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)

    • Process checks computer location settings

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)

    • Reads the computer name

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 3796)
      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 4016)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • ShellExperienceHost.exe (PID: 2348)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 2136)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentUI.exe (PID: 6932)
      • ProductAgentService.exe (PID: 3788)

    • Dropped object may contain TOR URL's

      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)

    • Creates files in the program directory

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 5268)

    • Reads Environment values

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6220)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 5268)
      • ProductAgentService.exe (PID: 1752)

    • Reads CPU info

      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • Manual execution by a user

      • bitdefender_tsecurity.exe (PID: 4376)
      • mspaint.exe (PID: 6284)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 19:15:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188416
InitializedDataSize: 265216
UninitializedDataSize: -
EntryPoint: 0x1cab5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
38
Malicious processes
29
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bitdefender_tsecurity.exe slui.exe agent_launcher.exe no specs bddeploy.exe setuppackage.exe installer.exe productagentservice.exe no specs bdredline.exe productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe discoverysrv.exe no specs regsvr32.exe no specs discoverysrv.exe no specs productagentservice.exe no specs productagentui.exe no specs shellexperiencehost.exe no specs systemsettingsbroker.exe no specs bitdefender_tsecurity.exe agent_launcher.exe no specs bddeploy.exe setuppackage.exe installer.exe productagentservice.exe productagentui.exe no specs productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe discoverysrv.exe no specs regsvr32.exe no specs discoverysrv.exe no specs watchdog.exe no specs COpenControlPanel no specs explorer.exe no specs productagentservice.exe no specs productagentui.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1176"C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
agent_launcher.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Installation File
Exit code:
0
Version:
27.0.16.281
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\bddeploy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1712"C:\Users\admin\Desktop\bitdefender_tsecurity.exe" C:\Users\admin\Desktop\bitdefender_tsecurity.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bitdefender_tsecurity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1752"C:\Program Files\Bitdefender Agent\27.0.1.281_0\ProductAgentService.exe" update_ready "C:\Users\admin\Desktop\bitdefender_tsecurity.exe"C:\Program Files\Bitdefender Agent\27.0.1.281_0\ProductAgentService.exe
installer.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\27.0.1.281_0\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1772C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1924"C:\Users\admin\AppData\Local\Temp\RarSFX1\packages\installer.exe"C:\Users\admin\AppData\Local\Temp\RarSFX1\packages\installer.exe
bddeploy.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Installation File
Exit code:
0
Version:
27.0.16.281
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx1\packages\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2112"ProductAgentService.exe" login_silentC:\Program Files\Bitdefender Agent\ProductAgentService.exeProductAgentService.exe
User:
SYSTEM
Company:
Bitdefender
Integrity Level:
SYSTEM
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2136"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" installC:\Program Files\Bitdefender Agent\ProductAgentService.exeProductAgentService.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2140C:\Windows\System32\SystemSettingsBroker.exe -EmbeddingC:\Windows\System32\SystemSettingsBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Settings Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systemsettingsbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
2348"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
3076"C:\Program Files\Bitdefender Agent\27.0.1.281\DiscoverySrv.exe"C:\Program Files\Bitdefender Agent\27.0.1.281\DiscoverySrv.exeProductAgentService.exe
User:
SYSTEM
Company:
Bitdefender
Integrity Level:
SYSTEM
Description:
DiscoverySrv
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\27.0.1.281\discoverysrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\ucrtbase.dll
Total events
96 780
Read events
96 517
Write events
242
Delete events
21

Modification events

(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1176) bddeploy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:3679CA35668772304D30A5FB873B0FA77BB70D54
Value:
(PID) Process:(1176) bddeploy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
Operation:writeName:Blob
Value:
0400000001000000100000008EADB501AA4D81E48C1DD1E1140095191D0000000100000010000000439B4D52906DF7A01771D729528723B37F0000000100000016000000301406082B0601050507030306082B06010505070301090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B060105050703080B000000010000006000000056006500720069005300690067006E00200055006E006900760065007200730061006C00200052006F006F0074002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F000000010000002000000017FE16F394EC70A5BB0C6784CAB40B1E61025AE9D50ECAA0531D6B4D997BBC590300000001000000140000003679CA35668772304D30A5FB873B0FA77BB70D54190000000100000010000000AD6D6FF31B24013151F279E26A8C332453000000010000004200000030403021060B6086480186F8450107170630123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000002399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C140000000100000014000000B677FA6948479F5312D5C2EA07327607D19707197E000000010000000800000000C0032F2DF8D6012000000001000000BD040000308204B9308203A1A0030201020210401AC46421B31321030EBBE4121AC51D300D06092A864886F70D01010B05003081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F72697479301E170D3038303430323030303030305A170D3337313230313233353935395A3081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100C761375EB10134DB62D7159BFF585A8C2323D6608E91D79098837AE65819388CC5F6E56485B4A271FBEDBDB9DACD4D00B4C82D73A5C76971951F393CB244079CE80EFA4D4AC421DF29618F32226182C5871F6E8C7C5F16205144D1704F57EAE31CE3CC79EE58D80EC2B34593C02CE79A172B7B00377A413378E133E2F3101A7F872CBEF6F5F742E2E5BF8762895F004BDFC5DDE4754432413A1E716E69CB0B754608D1CAD22B95D0CFFBB9406B648C574DFC13117984ED5E54F6349F0801F3102506174ADAF11D7A666B986066A4D9EFD22E82F1F0EF09EA44C9156AE2036E33D3AC9F5500C7F6086A94B95FDCE033F18460F95B2711B4FC16F2BB566A80258D0203010001A381B23081AF300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106306D06082B0601050507010C0461305FA15DA05B3059305730551609696D6167652F6769663021301F300706052B0E03021A04148FE5D31A86AC8D8E6BC3CF806AD448182C7B192E30251623687474703A2F2F6C6F676F2E766572697369676E2E636F6D2F76736C6F676F2E676966301D0603551D0E04160414B677FA6948479F5312D5C2EA07327607D1970719300D06092A864886F70D01010B050003820101004AF8F8B003E62C677BE4947763CC6E4CF97D0E0DDCC8B935B9704F63FA24FA6C838C479D3B63F39AF976329591B177BCAC9ABEB1E43121C68195565A0EB1C2D4B1A659ACF163CBB84C1D59904AEF9016281F5AAE10FB8150380C6CCCF13DC3F563E3B3E321C92439E9FD156646F41B11D04D73A37D46F93DEDA85F62D4F13FF8E074572B189D81B4C428DA9497A570EBAC1DBE0711F0D5DBDDE58CF0D532B083E657E28FBFBEA1AABF3D1DB5D438EAD7B05C3A4F6A3F8FC0666C63AAE9D9A416F481D195140E7DCD9534D9D28F7073817B9C7EBD9861D845879890C5EB8630C635BFF0FFC35588834BEF05920671F2B89893B7ECCD8261F138E64F97982A5A8D
Executable files
111
Suspicious files
46
Text files
340
Unknown types
1

Dropped files

PID
Process
Filename
Type
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exeexecutable
MD5:909145E25F89FA425D170ADEC835254E
SHA256:22348BF301D14446A1F028AD8ACA3C9986E13977855C7F70364EBB3F22CB3E0B
4732setuppackage.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.inibinary
MD5:96D15C4F3DB04429631866751A1D2890
SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exeexecutable
MD5:2079443E634D7EE3D0D7B33B1824B770
SHA256:3BE61D5B6AD6CCE1AE556FBB7B9EC0419B907C5F1E992C534D2DE71E9FD666F2
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe.md5text
MD5:7F59A234B54E52DBCB3847B5BFF4124B
SHA256:225686CA070796C12A11F073FAC5D99F0E5F0A4946C36C5B42E70AD177E563F6
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exeexecutable
MD5:F57AA77748841D1E63C6D33F4B9739D1
SHA256:B4CCDAE05CE3137E815EC487A714CCAD5347569FC622A7D278037151A02FC927
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5text
MD5:9EF0C29C0ACFFC8646D4E23CB9FB56F3
SHA256:05EBFF22C60478F5758C3B6C775E198AB4C000E1925AFF9A39BE5983CCFE90EE
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dllexecutable
MD5:9F8F023E802708893AE8C688D57E9EB5
SHA256:B000E326C37C859AFCB7FEAA4E9DC4D6E0CB4C8874FBF7699F51434B644D8891
4732setuppackage.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\additional.dllexecutable
MD5:A951FA6D51A17B4FDF08D90E1F323E4C
SHA256:E5A0A10C6A16473418934263AFBABB2D278C59CD397D50713F6F2FBD81ABFA59
4732setuppackage.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.initext
MD5:758591D297B16EE7B5127F2FE3E67A27
SHA256:2C6224951714E685114B51C4E598C2BAD8C7BC16975F7401AC51E101AFCAB837
4732setuppackage.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_idtext
MD5:F4C2784AA289F17D144A589751C7980D
SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
80
TCP/UDP connections
99
DNS requests
61
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
34.120.68.241:443
https://eu.nimbus.bitdefender.net/_ServerStatus
unknown
unknown
5800
bdredline.exe
GET
404
104.18.169.222:80
http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id
unknown
whitelisted
GET
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
unknown
GET
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/services/genid
unknown
unknown
GET
200
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
unknown
GET
200
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
unknown
GET
200
34.149.211.227:443
https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
unknown
6220
ProductAgentService.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
34.120.68.241:443
https://eu.nimbus.bitdefender.net/services/genid
unknown
binary
47 b
unknown
GET
200
34.149.211.227:443
https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3688
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
unknown
5812
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6564
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.145
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.146
  • 104.126.37.171
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.178
whitelisted
google.com
  • 142.250.185.110
whitelisted
upgrade.bitdefender.com
  • 104.18.169.222
  • 104.18.168.222
whitelisted
nimbus.bitdefender.net
  • 34.120.68.241
  • 2600:1901:0:69b7::
whitelisted
mclb-gcp.nimbus.bitdefender.net
  • 34.149.211.227
  • 2600:1901:0:c603::
whitelisted
eu.nimbus.bitdefender.net
  • 34.120.68.241
  • 2600:1901:0:69b7::
whitelisted
elb-iow-gcp.nimbus.bitdefender.net
  • 35.190.56.82
  • 2600:1901:0:5723::
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bitdefender_tsecurity.exe