File name:	bitdefender_avfree.exe
Full analysis:	https://app.any.run/tasks/b9e67f7d-7826-4cdc-9087-a3ae04abf4ee
Verdict:	Malicious activity
Analysis date:	May 12, 2025, 00:34:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	installer rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	F874BA4FDCBCB75B27A3FEBE5790528B
SHA1:	5B43C936F6275A59435C517369C4C1744606995E
SHA256:	B39B15E2F621D653E274251815C26DC2C07088A77112D6D75FB50BC29E13C7BF
SSDEEP:	196608:l3RF4BhzF+0rBOGtFffXceyGou+761fXU23oa6LCCJWJ3j:l3uhzTBrfXpou+Ak23oJTJWJ3j

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:08:14 19:15:49+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	188416
InitializedDataSize:	265216
UninitializedDataSize:	-
EntryPoint:	0x1cab5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	ShortInstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	InstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceFolder
Value: C:\ProgramData\Bitdefender Agent
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceLevel
Value: 1
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceMode
Value: 0
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool
Operation:	write	Name:	AppPath
Value: C:\Program Files\Bitdefender Agent\27.1.1.12\bdsubwiz.exe
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\Bitdefender Agent\27.1.1.12\bdicon.ico
(PID) Process:	(7888) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayName
Value: Bitdefender Agent

PID	Process	Filename		Type
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe		executable
		MD5:03A02ABCFB156C7C82099EB62DF9339F	SHA256:5D399883746AA61D41044483FA34A51CB9D59B6370EE35EC281249958D7522F7
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe		executable
		MD5:9BCA7DCB536E538145FC35D3FD3D37ED	SHA256:13EA984AED446CDF8908CAF941A216A19443927F49009BDF4097ADAB0030A845
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5		text
		MD5:BD97FD6AB9E87C4291770D21718DB48F	SHA256:22D143F1D08B7A252820EAF4C8535B90D3C887676D2F2B6420A24464C74AF9E6
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.ini		binary
		MD5:96D15C4F3DB04429631866751A1D2890	SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id		text
		MD5:F4C2784AA289F17D144A589751C7980D	SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26
7728	bddeploy.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\data\params.json		binary
		MD5:421A73583B2B4BA31F285D6DCDAEA56F	SHA256:0FA4DA77FFC6F078DD98D7ACAAB65674CDE0CC4AA5274CCAD6DF0018A3CD36A8
7392	bitdefender_avfree.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe		executable
		MD5:4D561CDAF9D31739CCCB709FC8F92163	SHA256:99F6129F23E6968C55AEA5FD763B3AD53DD9B1E2A21F51EF99E140D1694BA64E
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini		text
		MD5:96B5E37E6494DA2A8F09E98DF5C58004	SHA256:DD5C7A764B9FEA6F8C458D9B669B5764C46284DEA68CE52B43136C4812D27FD7
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll		executable
		MD5:90AFA3090C7AEC4E5A84444EE852C87C	SHA256:B4EC6ED71144818F05C588BC02357DB6AB99D86BF2E7174DC80FD9DAAF15B98A
7772	setuppackage.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\additional.dll		executable
		MD5:36AC314D55249BDC7A7C7F7DC0E80122	SHA256:A35F9689BD942E66F68301E60B2124A4F8E332026CBB8CD0B4E30CF99514F723

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8172	bdredline.exe	GET	404	104.18.168.222:80	http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id	unknown	—	—	whitelisted
5176	RUXIMICS.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5176	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	34.120.68.241:443	https://nimbus.bitdefender.net/bdnc/config	unknown	binary	240 b	whitelisted
—	—	POST	400	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	GET	200	34.120.85.253:443	https://elb-ore-gcp.nimbus.bitdefender.net/_ServerStatus	unknown	text	21 b	whitelisted
—	—	GET	200	35.190.56.82:443	https://elb-iow-gcp.nimbus.bitdefender.net/_ServerStatus	unknown	text	21 b	whitelisted
—	—	GET	200	34.117.13.33:443	https://us.nimbus.bitdefender.net/_ServerStatus	unknown	text	21 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5176	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5176	RUXIMICS.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.104.136.2	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.147 23.48.23.166 2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	184.30.21.171 2.23.246.101	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.32.136 40.126.32.76 20.190.160.130 20.190.160.131 40.126.32.72 40.126.32.74 20.190.160.64 20.190.160.14	whitelisted
upgrade.bitdefender.com	104.18.168.222 104.18.169.222	whitelisted
nimbus.bitdefender.net	34.120.68.241 2600:1901:0:69b7::	whitelisted
us.nimbus.bitdefender.net	34.117.13.33 2600:1901:0:4ba4::	whitelisted
elb-iow-gcp.nimbus.bitdefender.net	35.190.56.82 2600:1901:0:5723::	whitelisted

PID	Process	Class	Message
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)
—	—	Misc activity	INSTALLER [ANY.RUN] BDNC Installer HTTP POST Request (UA)

Process	Message
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ProductAgentService.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

bitdefender_avfree.exe

F874BA4FDCBCB75B27A3FEBE5790528B

5B43C936F6275A59435C517369C4C1744606995E

B39B15E2F621D653E274251815C26DC2C07088A77112D6D75FB50BC29E13C7BF

196608:l3RF4BhzF+0rBOGtFffXceyGou+761fXU23oa6LCCJWJ3j:l3uhzTBrfXpou+Ak23oJTJWJ3j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Creates a software uninstall entry

The process verifies whether the antivirus software is installed

There is functionality for taking screenshot (YARA)

Executes as Windows Service

Creates/Modifies COM task schedule object

Starts a Microsoft application from unusual location

Starts application with an unusual extension

Disables SEHOP

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Process checks computer location settings

Reads the software policy settings

Creates files in the program directory

Reads Environment values

Reads CPU info

Application based on Rust

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings