File name:	bitdefender_avfree.exe
Full analysis:	https://app.any.run/tasks/b9e67f7d-7826-4cdc-9087-a3ae04abf4ee
Verdict:	Malicious activity
Analysis date:	May 12, 2025, 00:34:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	installer rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	F874BA4FDCBCB75B27A3FEBE5790528B
SHA1:	5B43C936F6275A59435C517369C4C1744606995E
SHA256:	B39B15E2F621D653E274251815C26DC2C07088A77112D6D75FB50BC29E13C7BF
SSDEEP:	196608:l3RF4BhzF+0rBOGtFffXceyGou+761fXU23oa6LCCJWJ3j:l3uhzTBrfXpou+Ak23oJTJWJ3j

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:08:14 19:15:49+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	188416
InitializedDataSize:	265216
UninitializedDataSize:	-
EntryPoint:	0x1cab5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	ShortInstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	InstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceFolder
Value: C:\ProgramData\Bitdefender Agent
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceLevel
Value: 1
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceMode
Value: 0
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool
Operation:	write	Name:	AppPath
Value: C:\Program Files\Bitdefender Agent\27.1.1.12\bdsubwiz.exe
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\Bitdefender Agent\27.1.1.12\bdicon.ico
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayName
Value: Bitdefender Agent

PID	Process	Filename		Type
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe		executable
		MD5:9BCA7DCB536E538145FC35D3FD3D37ED	SHA256:13EA984AED446CDF8908CAF941A216A19443927F49009BDF4097ADAB0030A845
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini		text
		MD5:96B5E37E6494DA2A8F09E98DF5C58004	SHA256:DD5C7A764B9FEA6F8C458D9B669B5764C46284DEA68CE52B43136C4812D27FD7
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll		executable
		MD5:A1181FEC3F4D63E8087A5AB151E535B0	SHA256:173C20A60705ADAFBEE82B1E6E0C5C6796F4C5AC2BA207146113660A83166D98
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe.md5		text
		MD5:C66594DA8F04A40D614F94CD199CC681	SHA256:149E54F0D1473914164F26A7C9BE9BE9F06F109BA5B106BB3B8FFB0C775A2892
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe		executable
		MD5:F0B1BA4D9DD662944BC092D0896A6C78	SHA256:E0342D3BCC18B6777068578CCDF9DC0A4F9058399601668F785D521B29F16700
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5		text
		MD5:F7437BE70D1367128014D025C5CCCA0D	SHA256:246685FC3222F39F6B95966792519D594CC9544710C1571CE79CB1491DB88101
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5		text
		MD5:2BB4DE1531994B47DCB2204F0EA426FF	SHA256:C35D60C17D424AD87849EA37843CBC1F5D4537F5DC253BCF16F4E62E6416F852
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdredline.exe		executable
		MD5:82CD28473E039CECD30A97D8ABBAAEC5	SHA256:729EE5F5E1B7CC0EBE00ADBCBC6F3535A40D6EDB0D1B9B5FA5DD856D9608FC87
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.ini		binary
		MD5:96D15C4F3DB04429631866751A1D2890	SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id		text
		MD5:F4C2784AA289F17D144A589751C7980D	SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5176	RUXIMICS.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
2104	svchost.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	868 b	whitelisted
5176	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	868 b	whitelisted
8172	bdredline.exe	GET	404	104.18.168.222:80	http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id	unknown	html	146 b	whitelisted
—	—	POST	400	40.126.31.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
—	—	POST	200	40.126.31.2:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
—	—	POST	400	20.190.159.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
—	—	POST	400	20.190.159.68:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5176	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5176	RUXIMICS.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.104.136.2	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.147 23.48.23.166 2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	184.30.21.171 2.23.246.101	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.32.136 40.126.32.76 20.190.160.130 20.190.160.131 40.126.32.72 40.126.32.74 20.190.160.64 20.190.160.14	whitelisted
upgrade.bitdefender.com	104.18.168.222 104.18.169.222	whitelisted
nimbus.bitdefender.net	34.120.68.241 2600:1901:0:69b7::	whitelisted
us.nimbus.bitdefender.net	34.117.13.33 2600:1901:0:4ba4::	whitelisted
elb-iow-gcp.nimbus.bitdefender.net	35.190.56.82 2600:1901:0:5723::	whitelisted

PID	Process	Class	Message
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)

Process	Message
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

bitdefender_avfree.exe

F874BA4FDCBCB75B27A3FEBE5790528B

5B43C936F6275A59435C517369C4C1744606995E

B39B15E2F621D653E274251815C26DC2C07088A77112D6D75FB50BC29E13C7BF

196608:l3RF4BhzF+0rBOGtFffXceyGou+761fXU23oa6LCCJWJ3j:l3uhzTBrfXpou+Ak23oJTJWJ3j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Creates a software uninstall entry

The process verifies whether the antivirus software is installed

Executes as Windows Service

Process drops legitimate windows executable

There is functionality for taking screenshot (YARA)

Creates/Modifies COM task schedule object

Starts application with an unusual extension

Starts a Microsoft application from unusual location

Disables SEHOP

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Reads the software policy settings

Creates files in the program directory

Reads Environment values

Reads CPU info

Application based on Rust

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings