| File name: | bitdefender_avfree.exe |
| Full analysis: | https://app.any.run/tasks/7fd6188f-c3aa-4d0a-83ac-326475a03afe |
| Verdict: | Malicious activity |
| Analysis date: | February 10, 2024, 00:34:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 654DA9AD76A6913A0670A474C0E48138 |
| SHA1: | 9007453AE2D127D7ECE9FFDD5B0EBB4B772CCBB0 |
| SHA256: | B49623AE45E78D24E93BC8092D8DA314BCAAC3226C5A2BB2DC566ADEA8DAF60F |
| SSDEEP: | 98304:SM5IMaLpm1tVRD/1TZHkLSDsusJ87gTGLIF5FWhys1aP1C8Oq3uTmR0FGg1ZiGEW:L+R+FNrfdcEfk2bdO1I0P8Q28uZ |
MALICIOUS
Drops the executable file immediately after the start
- bitdefender_avfree.exe (PID: 3864)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Registers / Runs the DLL via REGSVR32.EXE
- DiscoverySrv.exe (PID: 1740)
Creates a writable file in the system directory
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
SUSPICIOUS
Executable content was dropped or overwritten
- bitdefender_avfree.exe (PID: 3864)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Reads security settings of Internet Explorer
- bitdefender_avfree.exe (PID: 3864)
- bddeploy.exe (PID: 3932)
- agent_launcher.exe (PID: 1432)
- installer.exe (PID: 2636)
Reads the Internet Settings
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- installer.exe (PID: 2636)
Checks Windows Trust Settings
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- DiscoverySrv.exe (PID: 1740)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Reads settings of System Certificates
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
Adds/modifies Windows certificates
- bddeploy.exe (PID: 3932)
Executes as Windows Service
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 3164)
The process verifies whether the antivirus software is installed
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 956)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- ProductAgentService.exe (PID: 3992)
- ProductAgentService.exe (PID: 2892)
- DiscoverySrv.exe (PID: 1740)
- regsvr32.exe (PID: 748)
- ProductAgentService.exe (PID: 968)
- DiscoverySrv.exe (PID: 3068)
- installer.exe (PID: 2636)
- ProductAgentUI.exe (PID: 1624)
Creates a software uninstall entry
- installer.exe (PID: 2636)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 748)
Application launched itself
- ProductAgentService.exe (PID: 3164)
INFO
Checks supported languages
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3992)
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 2892)
- ProductAgentService.exe (PID: 956)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 1740)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
- ProductAgentService.exe (PID: 968)
Reads the computer name
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 956)
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 2892)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 3068)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 968)
- ProductAgentUI.exe (PID: 1624)
Create files in a temporary directory
- bitdefender_avfree.exe (PID: 3864)
- bddeploy.exe (PID: 3932)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Reads the machine GUID from the registry
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 1740)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
Reads the software policy settings
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- DiscoverySrv.exe (PID: 1740)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Dropped object may contain TOR URL's
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Creates files in the program directory
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
Reads Environment values
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Reads product name
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Reads CPU info
- ProductAgentService.exe (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:08:14 19:15:49+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 188416 |
| InitializedDataSize: | 265216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cab5 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
56
Monitored processes
16
Malicious processes
15
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 748 | regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll" | C:\Windows\System32\regsvr32.exe | — | DiscoverySrv.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 956 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 968 | "ProductAgentService.exe" login_silent | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 1432 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | — | bitdefender_avfree.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: MEDIUM Description: Bitdefender Agent Launcher Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 1624 | "C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security" | C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe | ProductAgentService.exe | ||||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.264 Modules
| |||||||||||||||
| 1740 | "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" install | C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 2064 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\admin\AppData\Local\Temp\bitdefender_avfree.exe" | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 2328 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | bddeploy.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2636 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe | bddeploy.exe | ||||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Installation File Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 2892 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
Total events
40 380
Read events
40 172
Write events
201
Delete events
7
Modification events
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3932) bddeploy.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
54
Suspicious files
14
Text files
165
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe | executable | |
MD5:05EE53AB2BB06F33024E8B094EF3140E | SHA256:B4856CDC5046FCCA636CB0CF747A56F3B78472301950E2AD8CE2259F578DF501 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5 | text | |
MD5:0A02DBB21B6CCE58D3A38597630DB08E | SHA256:C7ABB0FD4F63E7E380CEC72BB4CF4567E3753CD9D18ACC3209DF82CBCB915BAE | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll | executable | |
MD5:12A33D34EFE5C1196366D9401CB87DB8 | SHA256:61C06FAD9CE99B0E313761DC94AB244C1B196D56195BD037A028D34AE120EBA7 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5 | text | |
MD5:15784F9CB8D05B0498105980D4A9445E | SHA256:2EF78B27AC9567707B1F28301DA62BBB8C96EDD81504E4A5FF60DE8088F5D4C2 | |||
| 3932 | bddeploy.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\data\params.json | binary | |
MD5:6B229732FF696E1F6C082A8943925E3E | SHA256:99DC695E43B9FA8DFEB1C3FC46C6DD0171D460EBDBEC73D621532BBD3B2597AA | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll | executable | |
MD5:C86511990365AC18CFB527E41A6F7EAC | SHA256:EB247A43D0CFD0662559F1E3A2BB6656A6B7D465C8D404D5A3EA090DAAD78196 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id | text | |
MD5:F4C2784AA289F17D144A589751C7980D | SHA256:E6E827F81840CE8975CD5E30467DDC1661C3F407CD9D342D00800F32C01DCC26 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini | text | |
MD5:758591D297B16EE7B5127F2FE3E67A27 | SHA256:2C6224951714E685114B51C4E598C2BAD8C7BC16975F7401AC51E101AFCAB837 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.dll | executable | |
MD5:E2A0334684B05BF05A953B80A4832D20 | SHA256:7DEDB34158F800166567887C7A007A85ECA0BE379D20D51DA3230F66C6B094C0 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini.md5 | text | |
MD5:3A0A7D7823833BE6E8AF5AB1AF295139 | SHA256:A5F15BA3B16384B584780F2BBB0EF3E7FD49CCABD0B9CA10437882F65F49C7F2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
45
DNS requests
34
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3940 | bdredline.exe | GET | 404 | 104.18.169.222:80 | http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id | unknown | html | 153 b | unknown |
3164 | ProductAgentService.exe | GET | 304 | 2.19.126.206:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2fa640a8c7eec850 | unknown | — | — | unknown |
3164 | ProductAgentService.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | binary | 727 b | unknown |
3164 | ProductAgentService.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAfUgQ0eGXaK4wv96iKa0QU%3D | unknown | binary | 727 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3940 | bdredline.exe | 104.18.169.222:80 | upgrade.bitdefender.com | CLOUDFLARENET | — | shared |
1236 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
3164 | ProductAgentService.exe | 34.120.68.241:443 | nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 34.149.211.227:443 | mclb-gcp.nimbus.bitdefender.net | GOOGLE | US | unknown |
3164 | ProductAgentService.exe | 34.120.67.236:443 | elb-lon-gcp.nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 34.117.254.173:443 | elb-nvi-gcp.nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 2.19.126.206:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
upgrade.bitdefender.com |
| unknown |
nimbus.bitdefender.net |
| unknown |
mclb-gcp.nimbus.bitdefender.net |
| unknown |
eu.nimbus.bitdefender.net |
| unknown |
elb-lon-gcp.nimbus.bitdefender.net |
| unknown |
elb-nvi-gcp.nimbus.bitdefender.net |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
download.bitdefender.com |
| unknown |