| File name: | bitdefender_avfree.exe |
| Full analysis: | https://app.any.run/tasks/72139e02-8e1d-44ee-9ab0-b5f18ba22b86 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 18, 2024, 08:46:40 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 3C1EB0B87403AEFB465B8172E7C0CD55 |
| SHA1: | 72D5059A35A888BAC59A21E2D78E9C7253F36DF3 |
| SHA256: | 9AC87B3D50D6230BDA18CC6A8748604345E8875F202E9B56E4B2E79BA09FDE42 |
| SSDEEP: | 98304:mM5ssWuyR7C/Pxj5vb6wnuJ8rhHQRHUnyfhdwOK5vGvdX5Q7bsDOQ6zje7QctD0c:bvGiQPAjJtAczEnp/FbYJRxUsYFkpmf |
MALICIOUS
Registers / Runs the DLL via REGSVR32.EXE
- DiscoverySrv.exe (PID: 6204)
SUSPICIOUS
Reads security settings of Internet Explorer
- bitdefender_avfree.exe (PID: 3276)
- agent_launcher.exe (PID: 4076)
Executable content was dropped or overwritten
- bitdefender_avfree.exe (PID: 3276)
- setuppackage.exe (PID: 3828)
- installer.exe (PID: 2620)
- ProductAgentService.exe (PID: 6888)
- uif3B0A.tmp (PID: 7156)
Checks Windows Trust Settings
- agent_launcher.exe (PID: 4076)
Executes as Windows Service
- bdredline.exe (PID: 3836)
- ProductAgentService.exe (PID: 6888)
Process drops legitimate windows executable
- MicrosoftEdgeUpdate.exe (PID: 4128)
- uif3B0A.tmp (PID: 7156)
- ProductAgentService.exe (PID: 6888)
Starts application with an unusual extension
- ProductAgentService.exe (PID: 6888)
Starts a Microsoft application from unusual location
- uif3B0A.tmp (PID: 7156)
- MicrosoftEdgeUpdate.exe (PID: 4128)
INFO
Reads the computer name
- bitdefender_avfree.exe (PID: 3276)
- agent_launcher.exe (PID: 4076)
Checks supported languages
- agent_launcher.exe (PID: 4076)
- bitdefender_avfree.exe (PID: 3276)
Process checks computer location settings
- bitdefender_avfree.exe (PID: 3276)
- agent_launcher.exe (PID: 4076)
Create files in a temporary directory
- bitdefender_avfree.exe (PID: 3276)
The process uses the downloaded file
- bitdefender_avfree.exe (PID: 3276)
- agent_launcher.exe (PID: 4076)
Reads the machine GUID from the registry
- agent_launcher.exe (PID: 4076)
Reads the software policy settings
- agent_launcher.exe (PID: 4076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:08:14 19:15:49+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 188416 |
| InitializedDataSize: | 265216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cab5 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
149
Monitored processes
19
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1156 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 31 Version: 27.0.1.283 Modules
| |||||||||||||||
| 1172 | "C:\Program Files\Bitdefender Agent\27.0.1.286\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security" | C:\Program Files\Bitdefender Agent\27.0.1.286\ProductAgentUI.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Version: 27.0.1.284 Modules
| |||||||||||||||
| 2620 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe | bddeploy.exe | ||||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Installation File Exit code: 0 Version: 27.0.16.281 Modules
| |||||||||||||||
| 3276 | "C:\Users\admin\Desktop\bitdefender_avfree.exe" | C:\Users\admin\Desktop\bitdefender_avfree.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3828 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | bddeploy.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3836 | "C:\Program Files\Bitdefender Agent\redline\bdredline.exe" | C:\Program Files\Bitdefender Agent\redline\bdredline.exe | services.exe | ||||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender redline update Version: 1.0.1.113 Modules
| |||||||||||||||
| 4040 | "C:\Program Files\Bitdefender Agent\27.0.1.286\DiscoverySrv.exe" | C:\Program Files\Bitdefender Agent\27.0.1.286\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Version: 27.0.1.283 Modules
| |||||||||||||||
| 4076 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | — | bitdefender_avfree.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: MEDIUM Description: Bitdefender Agent Launcher Exit code: 0 Version: 27.0.16.281 Modules
| |||||||||||||||
| 4128 | "C:\Program Files (x86)\Microsoft\Temp\EU699B.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" | C:\Program Files (x86)\Microsoft\Temp\EU699B.tmp\MicrosoftEdgeUpdate.exe | uif3B0A.tmp | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Edge Update Exit code: 2147747592 Version: 1.3.195.25 Modules
| |||||||||||||||
| 4464 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.283 Modules
| |||||||||||||||
Total events
42 156
Read events
42 040
Write events
111
Delete events
5
Modification events
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | ShortInstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | InstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceFolder |
Value: C:\ProgramData\Bitdefender Agent | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceLevel |
Value: 1 | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceMode |
Value: 0 | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool |
| Operation: | write | Name: | AppPath |
Value: C:\Program Files\Bitdefender Agent\27.0.1.286\bdsubwiz.exe | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Bitdefender Agent\27.0.1.286\bdicon.ico | |||
| (PID) Process: | (2620) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayName |
Value: Bitdefender Agent | |||
Executable files
262
Suspicious files
32
Text files
175
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3276 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | executable | |
MD5:1BE6C5E5D48BD16146F1FAC821C9796E | SHA256:3AB74216BE750FD89121FBC458842E557BCDC16FE06364596C66736B9F9BDE97 | |||
| 3276 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe | executable | |
MD5:25EC4BC0BEDE15B3387A60F57B26B7E5 | SHA256:802909C5996EA420A57954D6F50C2781D7601A62F9BA51B239EAFEAAF48E310F | |||
| 3276 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe.md5 | text | |
MD5:E8EAE1E745A42F71B1A2D78E61ECE7EC | SHA256:AF07866EF70F059C9E3CDCE171A4E2CA5775DADC89147A911E3EE70A2C3B8F0F | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\additional.dll | executable | |
MD5:96E0A4B88ADE20EA0580FE5241133083 | SHA256:C33B408112C8825AD7199E9DA607695AF1DB83904A9598643C9A4BBA56BB8D29 | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.dll | executable | |
MD5:F1712024C040E00B392AACE176AF63E1 | SHA256:050D7580DB67D67E924E171AA0A00073E8F49ADEDAD142ACCDF57630265D8EF6 | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll | executable | |
MD5:51F03F28D69A2211AA0824469A3DEB3E | SHA256:97BCCC07CE5B1982120F7EC930F0464ADB830466DABE897CD502009725CC581B | |||
| 3276 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5 | text | |
MD5:8AFDBEE1883E71940C5F2E3179D1433F | SHA256:59E8A9B0579F50D6D9C8A22F77306395A69AB3D0F05A0EA6CD1149935CD7B1D8 | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.ini | binary | |
MD5:96D15C4F3DB04429631866751A1D2890 | SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911 | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id | text | |
MD5:F4C2784AA289F17D144A589751C7980D | SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26 | |||
| 3828 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdredline.exe | executable | |
MD5:D11E644BE07F4357F415B064A70E74AC | SHA256:8A9F1F6CFF1F2565CF5967B4E0A8EB739EA83C129627E7C3EA35715372CCB91D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
52
DNS requests
31
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3524 | RUXIMICS.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3836 | bdredline.exe | GET | 404 | 104.18.169.222:80 | http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 34.117.13.33:443 | https://us.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
— | — | GET | 200 | 34.120.85.253:443 | https://elb-ore-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
— | — | GET | 200 | 34.120.68.241:443 | https://nimbus.bitdefender.net/bdnc/config | unknown | binary | 240 b | whitelisted |
— | — | GET | 200 | 35.190.56.82:443 | https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
— | — | GET | 200 | 34.120.68.241:443 | https://nimbus.bitdefender.net/bdnc/config | unknown | binary | 240 b | whitelisted |
— | — | GET | 200 | 35.190.56.82:443 | https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6944 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3524 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3524 | RUXIMICS.exe | 2.16.164.49:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.16.164.49:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
upgrade.bitdefender.com |
| whitelisted |
nimbus.bitdefender.net |
| whitelisted |
us.nimbus.bitdefender.net |
| whitelisted |
elb-iow-gcp.nimbus.bitdefender.net |
| whitelisted |
elb-ore-gcp.nimbus.bitdefender.net |
| whitelisted |
go.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
Process | Message |
|---|---|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|