File name:

bitdefender_tsecurity.exe

Full analysis: https://app.any.run/tasks/9c54bbbe-1587-4b09-bf4b-d67eb7a60fe9
Verdict: Malicious activity
Analysis date: July 28, 2024, 13:28:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A58F6330A8315046294738AC3F0C7C7

SHA1:

4CCD5EE1637451E5A873C77F9B95BB2282268240

SHA256:

63418D452BCFD776216608E2393FAC9CDBD63E453C8DED40DF7A59EB93AEA52F

SSDEEP:

98304:/M5VIMaLpm1tSwYiIqIFH++TmoJ5udgly+/CXxXLHGXOfK0hnZVgoV7DDyF7vvcZ:2WWd85Jt9d4ADZCkJdDgFImmlAIMWM9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • bitdefender_tsecurity.exe (PID: 4376)
      • setuppackage.exe (PID: 5660)
      • ProductAgentService.exe (PID: 1752)
      • installer.exe (PID: 1924)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DiscoverySrv.exe (PID: 5496)
      • DiscoverySrv.exe (PID: 3276)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • bitdefender_tsecurity.exe (PID: 4376)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)

    • Reads security settings of Internet Explorer

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • ShellExperienceHost.exe (PID: 2348)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • WatchDog.exe (PID: 3780)

    • Checks Windows Trust Settings

      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • DiscoverySrv.exe (PID: 5496)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentUI.exe (PID: 3112)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • DiscoverySrv.exe (PID: 3076)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 5268)
      • ProductAgentUI.exe (PID: 6932)

    • Reads the date of Windows installation

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)

    • Creates a software uninstall entry

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 1752)

    • Adds/modifies Windows certificates

      • bddeploy.exe (PID: 1176)

    • Executes as Windows Service

      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • The process verifies whether the antivirus software is installed

      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 6352)
      • ProductAgentService.exe (PID: 3796)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 4016)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 5496)
      • regsvr32.exe (PID: 5832)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 2136)
      • ProductAgentService.exe (PID: 3788)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 6836)
      • regsvr32.exe (PID: 4852)
      • DiscoverySrv.exe (PID: 3276)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentUI.exe (PID: 6932)
      • ProductAgentUI.exe (PID: 3856)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 5832)
      • regsvr32.exe (PID: 4852)

    • Application launched itself

      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • Starts itself from another location

      • ProductAgentService.exe (PID: 1752)

  • INFO

    • Checks supported languages

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6352)
      • ProductAgentService.exe (PID: 3796)
      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 4016)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 5496)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • ShellExperienceHost.exe (PID: 2348)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentUI.exe (PID: 3856)
      • ProductAgentService.exe (PID: 2136)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 3788)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentUI.exe (PID: 6932)

    • Create files in a temporary directory

      • bitdefender_tsecurity.exe (PID: 1712)
      • setuppackage.exe (PID: 4732)
      • bddeploy.exe (PID: 1176)
      • bitdefender_tsecurity.exe (PID: 4376)
      • bddeploy.exe (PID: 5716)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)

    • Reads the computer name

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • installer.exe (PID: 7132)
      • setuppackage.exe (PID: 4732)
      • bdredline.exe (PID: 5800)
      • ProductAgentService.exe (PID: 3796)
      • ProductAgentService.exe (PID: 4016)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentService.exe (PID: 6500)
      • ProductAgentUI.exe (PID: 3112)
      • ShellExperienceHost.exe (PID: 2348)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 2136)
      • ProductAgentService.exe (PID: 3788)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 2112)
      • ProductAgentUI.exe (PID: 6932)

    • Reads the software policy settings

      • slui.exe (PID: 7072)
      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • DiscoverySrv.exe (PID: 5496)
      • ProductAgentService.exe (PID: 6220)
      • ProductAgentUI.exe (PID: 3112)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 3076)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentService.exe (PID: 5268)
      • ProductAgentUI.exe (PID: 6932)

    • Process checks computer location settings

      • bitdefender_tsecurity.exe (PID: 1712)
      • agent_launcher.exe (PID: 5624)
      • bitdefender_tsecurity.exe (PID: 4376)
      • agent_launcher.exe (PID: 7024)

    • Checks proxy server information

      • slui.exe (PID: 7072)

    • Reads the machine GUID from the registry

      • agent_launcher.exe (PID: 5624)
      • bddeploy.exe (PID: 1176)
      • installer.exe (PID: 7132)
      • DiscoverySrv.exe (PID: 5496)
      • ProductAgentService.exe (PID: 6220)
      • DiscoverySrv.exe (PID: 3076)
      • ProductAgentUI.exe (PID: 3112)
      • agent_launcher.exe (PID: 7024)
      • bddeploy.exe (PID: 5716)
      • installer.exe (PID: 1924)
      • ProductAgentUI.exe (PID: 3856)
      • ProductAgentService.exe (PID: 5268)
      • DiscoverySrv.exe (PID: 3276)
      • DiscoverySrv.exe (PID: 6836)
      • WatchDog.exe (PID: 3780)
      • ProductAgentUI.exe (PID: 6932)
      • ProductAgentService.exe (PID: 1752)

    • Creates files in the program directory

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 4636)
      • ProductAgentService.exe (PID: 6220)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 1752)
      • ProductAgentService.exe (PID: 5268)

    • Dropped object may contain TOR URL's

      • setuppackage.exe (PID: 4732)
      • installer.exe (PID: 7132)
      • setuppackage.exe (PID: 5660)
      • installer.exe (PID: 1924)

    • Reads Environment values

      • installer.exe (PID: 7132)
      • ProductAgentService.exe (PID: 6220)
      • installer.exe (PID: 1924)
      • ProductAgentService.exe (PID: 5268)
      • ProductAgentService.exe (PID: 1752)

    • Reads CPU info

      • ProductAgentService.exe (PID: 6220)
      • ProductAgentService.exe (PID: 5268)

    • Manual execution by a user

      • bitdefender_tsecurity.exe (PID: 4376)
      • mspaint.exe (PID: 6284)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 19:15:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188416
InitializedDataSize: 265216
UninitializedDataSize: -
EntryPoint: 0x1cab5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
38
Malicious processes
29
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bitdefender_tsecurity.exe slui.exe agent_launcher.exe no specs bddeploy.exe setuppackage.exe installer.exe productagentservice.exe no specs bdredline.exe productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe discoverysrv.exe no specs regsvr32.exe no specs discoverysrv.exe no specs productagentservice.exe no specs productagentui.exe no specs shellexperiencehost.exe no specs systemsettingsbroker.exe no specs bitdefender_tsecurity.exe agent_launcher.exe no specs bddeploy.exe setuppackage.exe installer.exe productagentservice.exe productagentui.exe no specs productagentservice.exe no specs productagentservice.exe no specs productagentservice.exe discoverysrv.exe no specs regsvr32.exe no specs discoverysrv.exe no specs watchdog.exe no specs COpenControlPanel no specs explorer.exe no specs productagentservice.exe no specs productagentui.exe no specs mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1176"C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
agent_launcher.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Installation File
Exit code:
0
Version:
27.0.16.281
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\bddeploy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1712"C:\Users\admin\Desktop\bitdefender_tsecurity.exe" C:\Users\admin\Desktop\bitdefender_tsecurity.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bitdefender_tsecurity.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1752"C:\Program Files\Bitdefender Agent\27.0.1.281_0\ProductAgentService.exe" update_ready "C:\Users\admin\Desktop\bitdefender_tsecurity.exe"C:\Program Files\Bitdefender Agent\27.0.1.281_0\ProductAgentService.exe
installer.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\27.0.1.281_0\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1772C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1924"C:\Users\admin\AppData\Local\Temp\RarSFX1\packages\installer.exe"C:\Users\admin\AppData\Local\Temp\RarSFX1\packages\installer.exe
bddeploy.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Installation File
Exit code:
0
Version:
27.0.16.281
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx1\packages\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2112"ProductAgentService.exe" login_silentC:\Program Files\Bitdefender Agent\ProductAgentService.exeProductAgentService.exe
User:
SYSTEM
Company:
Bitdefender
Integrity Level:
SYSTEM
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2136"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" installC:\Program Files\Bitdefender Agent\ProductAgentService.exeProductAgentService.exe
User:
admin
Company:
Bitdefender
Integrity Level:
HIGH
Description:
Bitdefender Agent
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\productagentservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2140C:\Windows\System32\SystemSettingsBroker.exe -EmbeddingC:\Windows\System32\SystemSettingsBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Settings Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systemsettingsbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
2348"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
3076"C:\Program Files\Bitdefender Agent\27.0.1.281\DiscoverySrv.exe"C:\Program Files\Bitdefender Agent\27.0.1.281\DiscoverySrv.exeProductAgentService.exe
User:
SYSTEM
Company:
Bitdefender
Integrity Level:
SYSTEM
Description:
DiscoverySrv
Exit code:
0
Version:
27.0.1.281
Modules
Images
c:\program files\bitdefender agent\27.0.1.281\discoverysrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\ucrtbase.dll
Total events
96 780
Read events
96 517
Write events
242
Delete events
21

Modification events

(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1712) bitdefender_tsecurity.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5624) agent_launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1176) bddeploy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:3679CA35668772304D30A5FB873B0FA77BB70D54
Value:
(PID) Process:(1176) bddeploy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
Operation:writeName:Blob
Value:
0400000001000000100000008EADB501AA4D81E48C1DD1E1140095191D0000000100000010000000439B4D52906DF7A01771D729528723B37F0000000100000016000000301406082B0601050507030306082B06010505070301090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B060105050703080B000000010000006000000056006500720069005300690067006E00200055006E006900760065007200730061006C00200052006F006F0074002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F000000010000002000000017FE16F394EC70A5BB0C6784CAB40B1E61025AE9D50ECAA0531D6B4D997BBC590300000001000000140000003679CA35668772304D30A5FB873B0FA77BB70D54190000000100000010000000AD6D6FF31B24013151F279E26A8C332453000000010000004200000030403021060B6086480186F8450107170630123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000002399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C140000000100000014000000B677FA6948479F5312D5C2EA07327607D19707197E000000010000000800000000C0032F2DF8D6012000000001000000BD040000308204B9308203A1A0030201020210401AC46421B31321030EBBE4121AC51D300D06092A864886F70D01010B05003081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F72697479301E170D3038303430323030303030305A170D3337313230313233353935395A3081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100C761375EB10134DB62D7159BFF585A8C2323D6608E91D79098837AE65819388CC5F6E56485B4A271FBEDBDB9DACD4D00B4C82D73A5C76971951F393CB244079CE80EFA4D4AC421DF29618F32226182C5871F6E8C7C5F16205144D1704F57EAE31CE3CC79EE58D80EC2B34593C02CE79A172B7B00377A413378E133E2F3101A7F872CBEF6F5F742E2E5BF8762895F004BDFC5DDE4754432413A1E716E69CB0B754608D1CAD22B95D0CFFBB9406B648C574DFC13117984ED5E54F6349F0801F3102506174ADAF11D7A666B986066A4D9EFD22E82F1F0EF09EA44C9156AE2036E33D3AC9F5500C7F6086A94B95FDCE033F18460F95B2711B4FC16F2BB566A80258D0203010001A381B23081AF300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106306D06082B0601050507010C0461305FA15DA05B3059305730551609696D6167652F6769663021301F300706052B0E03021A04148FE5D31A86AC8D8E6BC3CF806AD448182C7B192E30251623687474703A2F2F6C6F676F2E766572697369676E2E636F6D2F76736C6F676F2E676966301D0603551D0E04160414B677FA6948479F5312D5C2EA07327607D1970719300D06092A864886F70D01010B050003820101004AF8F8B003E62C677BE4947763CC6E4CF97D0E0DDCC8B935B9704F63FA24FA6C838C479D3B63F39AF976329591B177BCAC9ABEB1E43121C68195565A0EB1C2D4B1A659ACF163CBB84C1D59904AEF9016281F5AAE10FB8150380C6CCCF13DC3F563E3B3E321C92439E9FD156646F41B11D04D73A37D46F93DEDA85F62D4F13FF8E074572B189D81B4C428DA9497A570EBAC1DBE0711F0D5DBDDE58CF0D532B083E657E28FBFBEA1AABF3D1DB5D438EAD7B05C3A4F6A3F8FC0666C63AAE9D9A416F481D195140E7DCD9534D9D28F7073817B9C7EBD9861D845879890C5EB8630C635BFF0FFC35588834BEF05920671F2B89893B7ECCD8261F138E64F97982A5A8D
Executable files
111
Suspicious files
46
Text files
340
Unknown types
1

Dropped files

PID
Process
Filename
Type
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exeexecutable
MD5:2079443E634D7EE3D0D7B33B1824B770
SHA256:3BE61D5B6AD6CCE1AE556FBB7B9EC0419B907C5F1E992C534D2DE71E9FD666F2
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe.md5text
MD5:2FBD6CC189F6C2D10C3189F9BB20ED31
SHA256:5675833AB04B4E2A8F392BB75861278ECD89FBFCB4EAAA52FC59047AB5B06646
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exeexecutable
MD5:F57AA77748841D1E63C6D33F4B9739D1
SHA256:B4CCDAE05CE3137E815EC487A714CCAD5347569FC622A7D278037151A02FC927
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5text
MD5:06C7D6A0AE65CC14369BC0653B9A709F
SHA256:3FE0CF30FBF9E0D538D95124BF3993CFAEEA8CDB872E62FDCB6384D6287581E9
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5text
MD5:9EF0C29C0ACFFC8646D4E23CB9FB56F3
SHA256:05EBFF22C60478F5758C3B6C775E198AB4C000E1925AFF9A39BE5983CCFE90EE
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5text
MD5:51C2F71494AE7559F8C295FDC8B16FD9
SHA256:44C4AC6BDECD8741C8578935F08040C6E8668B9CB1C1A14ACB88155507D75974
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe.md5text
MD5:7F59A234B54E52DBCB3847B5BFF4124B
SHA256:225686CA070796C12A11F073FAC5D99F0E5F0A4946C36C5B42E70AD177E563F6
1176bddeploy.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\data\params.jsonbinary
MD5:1CD9A220024F17B9E9EE6382035639B5
SHA256:B7CB4F1EA0D7E526446B2D63C8D75C2CE8963C86EA47B96E6462A7CDE3005F9B
4732setuppackage.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.dllexecutable
MD5:9B7925D2FD4EA5FD57ED85C4D523CFB8
SHA256:DF93DF32C8A7AECE380ADD382434367D30309AABDA759DE3CDF1D7C0BC4A47E5
1712bitdefender_tsecurity.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exeexecutable
MD5:909145E25F89FA425D170ADEC835254E
SHA256:22348BF301D14446A1F028AD8ACA3C9986E13977855C7F70364EBB3F22CB3E0B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
80
TCP/UDP connections
99
DNS requests
61
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5800
bdredline.exe
GET
404
104.18.169.222:80
http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id
unknown
whitelisted
GET
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
GET
34.120.68.241:443
https://eu.nimbus.bitdefender.net/_ServerStatus
unknown
GET
35.190.56.82:443
https://elb-iow-gcp.nimbus.bitdefender.net/services/genid
unknown
GET
200
34.120.68.241:443
https://nimbus.bitdefender.net/bdnc/config
unknown
binary
237 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
6220
ProductAgentService.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
34.149.211.227:443
https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
GET
200
34.149.211.227:443
https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus
unknown
text
21 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3688
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
unknown
5812
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6564
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.145
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.146
  • 104.126.37.171
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.178
whitelisted
google.com
  • 142.250.185.110
whitelisted
upgrade.bitdefender.com
  • 104.18.169.222
  • 104.18.168.222
whitelisted
nimbus.bitdefender.net
  • 34.120.68.241
  • 2600:1901:0:69b7::
whitelisted
mclb-gcp.nimbus.bitdefender.net
  • 34.149.211.227
  • 2600:1901:0:c603::
whitelisted
eu.nimbus.bitdefender.net
  • 34.120.68.241
  • 2600:1901:0:69b7::
whitelisted
elb-iow-gcp.nimbus.bitdefender.net
  • 35.190.56.82
  • 2600:1901:0:5723::
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bitdefender_tsecurity.exe