| File name: | bitdefender_avfree.exe |
| Full analysis: | https://app.any.run/tasks/af3e8b4e-da9c-4d6d-a8dd-2b0116daaf3a |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 16, 2024, 18:23:53 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 3C1EB0B87403AEFB465B8172E7C0CD55 |
| SHA1: | 72D5059A35A888BAC59A21E2D78E9C7253F36DF3 |
| SHA256: | 9AC87B3D50D6230BDA18CC6A8748604345E8875F202E9B56E4B2E79BA09FDE42 |
| SSDEEP: | 98304:mM5ssWuyR7C/Pxj5vb6wnuJ8rhHQRHUnyfhdwOK5vGvdX5Q7bsDOQ6zje7QctD0c:bvGiQPAjJtAczEnp/FbYJRxUsYFkpmf |
MALICIOUS
Registers / Runs the DLL via REGSVR32.EXE
- DiscoverySrv.exe (PID: 6432)
SUSPICIOUS
Reads security settings of Internet Explorer
- bitdefender_avfree.exe (PID: 6708)
- agent_launcher.exe (PID: 6584)
- bddeploy.exe (PID: 6516)
Executable content was dropped or overwritten
- bitdefender_avfree.exe (PID: 6708)
- installer.exe (PID: 6212)
- ProductAgentService.exe (PID: 4348)
- wib2D7D.tmp (PID: 6288)
- setuppackage.exe (PID: 700)
Checks Windows Trust Settings
- agent_launcher.exe (PID: 6584)
- bddeploy.exe (PID: 6516)
Executes as Windows Service
- ProductAgentService.exe (PID: 4348)
- bdredline.exe (PID: 6184)
Process drops legitimate windows executable
- wib2D7D.tmp (PID: 6288)
- ProductAgentService.exe (PID: 4348)
- MicrosoftEdgeUpdate.exe (PID: 6132)
Starts a Microsoft application from unusual location
- wib2D7D.tmp (PID: 6288)
- MicrosoftEdgeUpdate.exe (PID: 6132)
Starts application with an unusual extension
- ProductAgentService.exe (PID: 4348)
INFO
Checks supported languages
- bitdefender_avfree.exe (PID: 6708)
- agent_launcher.exe (PID: 6584)
- bddeploy.exe (PID: 6516)
Reads the computer name
- bitdefender_avfree.exe (PID: 6708)
- agent_launcher.exe (PID: 6584)
The process uses the downloaded file
- bitdefender_avfree.exe (PID: 6708)
- agent_launcher.exe (PID: 6584)
Process checks computer location settings
- bitdefender_avfree.exe (PID: 6708)
- agent_launcher.exe (PID: 6584)
Create files in a temporary directory
- bitdefender_avfree.exe (PID: 6708)
Reads the machine GUID from the registry
- agent_launcher.exe (PID: 6584)
- bddeploy.exe (PID: 6516)
Reads the software policy settings
- agent_launcher.exe (PID: 6584)
- bddeploy.exe (PID: 6516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:08:14 19:15:49+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 188416 |
| InitializedDataSize: | 265216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cab5 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
149
Monitored processes
19
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 700 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | bddeploy.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 864 | "C:\Program Files\Bitdefender Agent\27.0.1.286\DiscoverySrv.exe" | C:\Program Files\Bitdefender Agent\27.0.1.286\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Version: 27.0.1.283 Modules
| |||||||||||||||
| 916 | "C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "6132" "2348" "2272" "2352" "0" "0" "0" "0" "0" "0" "0" "0" | C:\Windows\SysWOW64\wermgr.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1452 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.283 Modules
| |||||||||||||||
| 4348 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | services.exe | ||||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Version: 27.0.1.283 Modules
| |||||||||||||||
| 6024 | regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.286\DiscoveryComp.dll" | C:\Windows\SysWOW64\regsvr32.exe | — | DiscoverySrv.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6128 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.283 Modules
| |||||||||||||||
| 6132 | "C:\Program Files (x86)\Microsoft\Temp\EU4CFB.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" | C:\Program Files (x86)\Microsoft\Temp\EU4CFB.tmp\MicrosoftEdgeUpdate.exe | wib2D7D.tmp | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Edge Update Exit code: 2147747592 Version: 1.3.195.25 Modules
| |||||||||||||||
| 6184 | "C:\Program Files\Bitdefender Agent\redline\bdredline.exe" | C:\Program Files\Bitdefender Agent\redline\bdredline.exe | services.exe | ||||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender redline update Version: 1.0.1.113 Modules
| |||||||||||||||
| 6212 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe | bddeploy.exe | ||||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Installation File Exit code: 0 Version: 27.0.16.281 Modules
| |||||||||||||||
Total events
42 165
Read events
42 049
Write events
111
Delete events
5
Modification events
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | ShortInstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | InstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceFolder |
Value: C:\ProgramData\Bitdefender Agent | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceLevel |
Value: 1 | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceMode |
Value: 0 | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool |
| Operation: | write | Name: | AppPath |
Value: C:\Program Files\Bitdefender Agent\27.0.1.286\bdsubwiz.exe | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Bitdefender Agent\27.0.1.286\bdicon.ico | |||
| (PID) Process: | (6212) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayName |
Value: Bitdefender Agent | |||
Executable files
262
Suspicious files
30
Text files
175
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6708 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe | executable | |
MD5:25EC4BC0BEDE15B3387A60F57B26B7E5 | SHA256:802909C5996EA420A57954D6F50C2781D7601A62F9BA51B239EAFEAAF48E310F | |||
| 700 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\additional.dll | executable | |
MD5:96E0A4B88ADE20EA0580FE5241133083 | SHA256:C33B408112C8825AD7199E9DA607695AF1DB83904A9598643C9A4BBA56BB8D29 | |||
| 700 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini.md5 | text | |
MD5:3A0A7D7823833BE6E8AF5AB1AF295139 | SHA256:A5F15BA3B16384B584780F2BBB0EF3E7FD49CCABD0B9CA10437882F65F49C7F2 | |||
| 6516 | bddeploy.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\data\params.json | binary | |
MD5:421A73583B2B4BA31F285D6DCDAEA56F | SHA256:0FA4DA77FFC6F078DD98D7ACAAB65674CDE0CC4AA5274CCAD6DF0018A3CD36A8 | |||
| 6708 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | executable | |
MD5:BDAEE07050606E047351CB8155DA0FE3 | SHA256:4B4B1BD996F7775D2FAC830C48C9E855D1F926A50063259E1A2F797E5992A575 | |||
| 700 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id | text | |
MD5:F4C2784AA289F17D144A589751C7980D | SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26 | |||
| 700 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini | text | |
MD5:758591D297B16EE7B5127F2FE3E67A27 | SHA256:2C6224951714E685114B51C4E598C2BAD8C7BC16975F7401AC51E101AFCAB837 | |||
| 6708 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5 | text | |
MD5:8AFDBEE1883E71940C5F2E3179D1433F | SHA256:59E8A9B0579F50D6D9C8A22F77306395A69AB3D0F05A0EA6CD1149935CD7B1D8 | |||
| 6708 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | executable | |
MD5:1BE6C5E5D48BD16146F1FAC821C9796E | SHA256:3AB74216BE750FD89121FBC458842E557BCDC16FE06364596C66736B9F9BDE97 | |||
| 6708 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5 | text | |
MD5:A7949160CE936E6F6E8959216AD59A59 | SHA256:28A79526F776B75ACCC52197CB633D988D970716906BE0DAD3410EE553901DA1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
55
DNS requests
34
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7036 | RUXIMICS.exe | GET | 200 | 2.16.164.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 2.16.164.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7036 | RUXIMICS.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6184 | bdredline.exe | GET | 404 | 104.18.169.222:80 | http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id | unknown | — | — | whitelisted |
— | — | GET | 200 | 34.120.68.241:443 | https://nimbus.bitdefender.net/bdnc/config | unknown | binary | 240 b | whitelisted |
— | — | GET | 200 | 34.120.68.241:443 | https://nimbus.bitdefender.net/bdnc/config | unknown | binary | 240 b | whitelisted |
— | — | GET | 200 | 34.117.13.33:443 | https://us.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
— | — | GET | 200 | 34.120.85.253:443 | https://elb-ore-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | text | 21 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7036 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.23.209.148:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 2.16.164.114:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
7036 | RUXIMICS.exe | 2.16.164.114:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6944 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
upgrade.bitdefender.com |
| whitelisted |
nimbus.bitdefender.net |
| whitelisted |
us.nimbus.bitdefender.net |
| whitelisted |
elb-iow-gcp.nimbus.bitdefender.net |
| whitelisted |
elb-ore-gcp.nimbus.bitdefender.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
— | — | Misc activity | INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA) |
Process | Message |
|---|---|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
ProductAgentService.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|