590d385c35a94e2292fdf6d5c805874b3bdd9f1ae0ca4883ef036b3a8d23d72d

Analysis

max time kernel
192s
max time network
255s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-12-2021 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bitdefender.Antivirus.v25.0.26.88.exe
Size

12.9MB
MD5

2ed1a518f5711a6d76fd5e038be96f9e
SHA1

c66900065762296fae037716e283f5cab5e1db9a
SHA256

590d385c35a94e2292fdf6d5c805874b3bdd9f1ae0ca4883ef036b3a8d23d72d
SHA512

44b81e24bca1fb6d9fcfad8ca69ec5a5867c60ce95b04b367c0bb7a8e56b706f1b85b4c82b83c124d62d80734d47af62f0e34aaae73ebb293446a34a4d7becf2

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

agent_launcher.exebddeploy.exesetuppackage.exeinstaller.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeDiscoverySrv.exeProductAgentService.exeProductAgentUI.exeiznD061.tmpBPInstaller.exeBPInstaller.exeagentctrl.exeagentctrl.exeagentctrl.exeagentctrl.exeagentctrl.exeWatchDog.exe

pid	process
3776	agent_launcher.exe
1996	bddeploy.exe
1572	setuppackage.exe
4072	installer.exe
2252	ProductAgentService.exe
2088	ProductAgentService.exe
1144	ProductAgentService.exe
1344	ProductAgentService.exe
3328	ProductAgentService.exe
2204	DiscoverySrv.exe
3488	DiscoverySrv.exe
3744	ProductAgentService.exe
428	ProductAgentUI.exe
776	iznD061.tmp
2168	BPInstaller.exe
3028	BPInstaller.exe
432	agentctrl.exe
1516	agentctrl.exe
800	agentctrl.exe
744	agentctrl.exe
2060	agentctrl.exe
3164	WatchDog.exe

Loads dropped DLL 64 IoCs

Processes:

installer.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeregsvr32.exeDiscoverySrv.exeProductAgentService.exeProductAgentUI.exeBPInstaller.exeBPInstaller.exe

pid	process
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
2252	ProductAgentService.exe
4072	installer.exe
4072	installer.exe
4072	installer.exe
2088	ProductAgentService.exe
1144	ProductAgentService.exe
1344	ProductAgentService.exe
1344	ProductAgentService.exe
3328	ProductAgentService.exe
4072	installer.exe
4072	installer.exe
3328	ProductAgentService.exe
2204	DiscoverySrv.exe
2204	DiscoverySrv.exe
2204	DiscoverySrv.exe
2204	DiscoverySrv.exe
2936	regsvr32.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3488	DiscoverySrv.exe
3488	DiscoverySrv.exe
3488	DiscoverySrv.exe
3488	DiscoverySrv.exe
3488	DiscoverySrv.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
4072	installer.exe
3744	ProductAgentService.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
428	ProductAgentUI.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
2168	BPInstaller.exe
3028	BPInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

Processes:

DiscoverySrv.exeProductAgentService.exeWatchDog.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_2D95862FBF9F4D39565F4C6134C2CFB4	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_6F10577732640C329D7BADD5F344FE3D	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_6F10577732640C329D7BADD5F344FE3D	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	WatchDog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_2D95862FBF9F4D39565F4C6134C2CFB4	DiscoverySrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WatchDog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WatchDog.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	WatchDog.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeBPInstaller.exeagentctrl.exeProductAgentService.exe

description	ioc	process
File created	C:\Program Files\Bitdefender Agent\ui\ltr\ProductAgentUI.ui	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\archives\onaccess.exe	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\bdicon.ico	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\styles\install.css	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\msvcp140_atomic_wait.dll	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\vccorlib140.dll	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\img\icons\b-icon-popup.svg	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\components\agemma.yaml	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\nl-NL	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\sup_prod4.png	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\ko-KR\ProductAgentUI.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\skin\html\Others\generic_message_window.html	installer.exe
File created	C:\Program Files\Bitdefender Agent\skin\images\load-medium.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\ui\rtl\ProductAgentUI.ui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\installer\additional.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\installer\bdnc.ini.md5	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\api-ms-win-core-memory-l1-1-0.dll	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\ja-JP\ProductAgentUI.txtui	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\settings\bdch.xml.tpl	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\scripts\notif.tis	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\images\icon-win.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\skin\images_2\common\bdui_progress_bgr_black.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\ui	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\api-ms-win-crt-filesystem-l1-1-0.dll	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\logo.svg	BPInstaller.exe
File created	C:\Program Files\Bitdefender Agent\ProductAgentUI.exe	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\images\slider.png	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\archives\epsservice.exe	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\components\bdredline.yaml	BPInstaller.exe
File created	C:\Program Files\Bitdefender Agent\apps_data\com.bitdefender.avfree_extra_data	agentctrl.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\ar-SA\ProductAgentUI.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\skin\images_2\common\bdui_progress_fgr.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\apps_data\com.bitdefender.avfree	ProductAgentService.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\checkbox_on.svg	BPInstaller.exe
File created	C:\Program Files\Bitdefender Agent\settings\ProductAgent.json.md5	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\api-ms-win-core-rtlsupport-l1-1-0.dll	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\th-TH	installer.exe
File created	C:\Program Files\Bitdefender Agent\ProductAgentService.exe	installer.exe
File created	C:\Program Files\Bitdefender Agent\ui\ltr\bdsubwiz.ui	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\square.svg	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\ro-RO	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\images\pattern2.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\installer\lang\pl-PL.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\lang\th-TH\bdsubwiz.txtui	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\warning-icon.svg	BPInstaller.exe
File created	C:\Program Files\Bitdefender Agent\skin\images\ie-icon.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\ui\ltr	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\AgentCtrl.exe	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\kitmd5.dat	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\settings\Antiphishing.conf.tpl	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\settings\Product.ActionCenter.conf.tpl	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\images_2\common\bdui_progress_bgr_black.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\lang\vi-VN\bdsubwiz.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\installer\lang\vi-VN.dll	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\gui\images\installer\sup_prod2.png	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\settings\FileScan.Quarantine.conf.tpl	BPInstaller.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\vcruntime140_1.dll	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\DiscoveryComp.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\skin\img\icons\feedback.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\installer\bdnc.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\installer\lang\ar-SA.dll	installer.exe
File created	C:\Program Files\Bitdefender Antivirus Free\kitinstaller\components\epsservice.yaml	BPInstaller.exe
File opened for modification	C:\Program Files\Bitdefender Agent\skin\html\Agent	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\lang\pt-PT\bdsubwiz.txtui	installer.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProductAgentService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProductAgentService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ProductAgentUI.exeWatchDog.exeDiscoverySrv.exeDiscoverySrv.exeProductAgentService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WatchDog.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DiscoverySrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ProductAgentService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DiscoverySrv.exe

Modifies registry class 44 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ = "C:\\Program Files\\Bitdefender Agent\\DiscoveryComp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR\ = "C:\\Program Files\\Bitdefender Agent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ = "UPNPDevice Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID\ = "{CB23A858-ED47-425B-AAD2-D809C11E1DA6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32\ = "C:\\Program Files\\Bitdefender Agent\\DiscoveryComp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID\ = "ProductAgent.UPNPDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\ = "ProductAgent UPNP Service Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}	regsvr32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

agent_launcher.exeinstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	agent_launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	installer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ProductAgentService.exe

pid	process
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe
3328	ProductAgentService.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

installer.exeProductAgentService.exe

description	pid	process
Token: SeRestorePrivilege	4072	installer.exe
Token: SeDebugPrivilege	3328	ProductAgentService.exe
Token: SeDebugPrivilege	3328	ProductAgentService.exe
Token: SeDebugPrivilege	3328	ProductAgentService.exe
Token: SeDebugPrivilege	3328	ProductAgentService.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

BPInstaller.exeBPInstaller.exeagentctrl.exeagentctrl.exeagentctrl.exeagentctrl.exeagentctrl.exe

pid	process
2168	BPInstaller.exe
3028	BPInstaller.exe
432	agentctrl.exe
3028	BPInstaller.exe
1516	agentctrl.exe
800	agentctrl.exe
744	agentctrl.exe
2060	agentctrl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bitdefender.Antivirus.v25.0.26.88.exeagent_launcher.exebddeploy.exeinstaller.exeProductAgentService.exeDiscoverySrv.exeiznD061.tmpBPInstaller.exeBPInstaller.exe

description	pid	process	target process
PID 2356 wrote to memory of 3776	2356	Bitdefender.Antivirus.v25.0.26.88.exe	agent_launcher.exe
PID 2356 wrote to memory of 3776	2356	Bitdefender.Antivirus.v25.0.26.88.exe	agent_launcher.exe
PID 2356 wrote to memory of 3776	2356	Bitdefender.Antivirus.v25.0.26.88.exe	agent_launcher.exe
PID 3776 wrote to memory of 1996	3776	agent_launcher.exe	bddeploy.exe
PID 3776 wrote to memory of 1996	3776	agent_launcher.exe	bddeploy.exe
PID 3776 wrote to memory of 1996	3776	agent_launcher.exe	bddeploy.exe
PID 1996 wrote to memory of 1572	1996	bddeploy.exe	setuppackage.exe
PID 1996 wrote to memory of 1572	1996	bddeploy.exe	setuppackage.exe
PID 1996 wrote to memory of 1572	1996	bddeploy.exe	setuppackage.exe
PID 1996 wrote to memory of 4072	1996	bddeploy.exe	installer.exe
PID 1996 wrote to memory of 4072	1996	bddeploy.exe	installer.exe
PID 1996 wrote to memory of 4072	1996	bddeploy.exe	installer.exe
PID 4072 wrote to memory of 2252	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 2252	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 2252	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 2088	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 2088	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 2088	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1144	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1144	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1144	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1344	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1344	4072	installer.exe	ProductAgentService.exe
PID 4072 wrote to memory of 1344	4072	installer.exe	ProductAgentService.exe
PID 3328 wrote to memory of 2204	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 3328 wrote to memory of 2204	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 3328 wrote to memory of 2204	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 2204 wrote to memory of 2936	2204	DiscoverySrv.exe	regsvr32.exe
PID 2204 wrote to memory of 2936	2204	DiscoverySrv.exe	regsvr32.exe
PID 2204 wrote to memory of 2936	2204	DiscoverySrv.exe	regsvr32.exe
PID 3328 wrote to memory of 3488	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 3328 wrote to memory of 3488	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 3328 wrote to memory of 3488	3328	ProductAgentService.exe	DiscoverySrv.exe
PID 3328 wrote to memory of 3744	3328	ProductAgentService.exe	ProductAgentService.exe
PID 3328 wrote to memory of 3744	3328	ProductAgentService.exe	ProductAgentService.exe
PID 3328 wrote to memory of 3744	3328	ProductAgentService.exe	ProductAgentService.exe
PID 3328 wrote to memory of 428	3328	ProductAgentService.exe	ProductAgentUI.exe
PID 3328 wrote to memory of 428	3328	ProductAgentService.exe	ProductAgentUI.exe
PID 3328 wrote to memory of 428	3328	ProductAgentService.exe	ProductAgentUI.exe
PID 3328 wrote to memory of 776	3328	ProductAgentService.exe	iznD061.tmp
PID 3328 wrote to memory of 776	3328	ProductAgentService.exe	iznD061.tmp
PID 3328 wrote to memory of 776	3328	ProductAgentService.exe	iznD061.tmp
PID 776 wrote to memory of 2168	776	iznD061.tmp	BPInstaller.exe
PID 776 wrote to memory of 2168	776	iznD061.tmp	BPInstaller.exe
PID 2168 wrote to memory of 3028	2168	BPInstaller.exe	BPInstaller.exe
PID 2168 wrote to memory of 3028	2168	BPInstaller.exe	BPInstaller.exe
PID 3028 wrote to memory of 432	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 432	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 432	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 1516	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 1516	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 1516	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 800	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 800	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 800	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 744	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 744	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 744	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 2060	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 2060	3028	BPInstaller.exe	agentctrl.exe
PID 3028 wrote to memory of 2060	3028	BPInstaller.exe	agentctrl.exe
PID 3328 wrote to memory of 3164	3328	ProductAgentService.exe	WatchDog.exe
PID 3328 wrote to memory of 3164	3328	ProductAgentService.exe	WatchDog.exe
PID 3328 wrote to memory of 3164	3328	ProductAgentService.exe	WatchDog.exe

C:\Users\Admin\AppData\Local\Temp\Bitdefender.Antivirus.v25.0.26.88.exe
"C:\Users\Admin\AppData\Local\Temp\Bitdefender.Antivirus.v25.0.26.88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"
4⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\AppData\Local\Temp\Bitdefender.Antivirus.v25.0.26.88.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Program Files\Bitdefender Agent\DiscoverySrv.exe
"C:\Program Files\Bitdefender Agent\DiscoverySrv.exe" install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Bitdefender Agent\DiscoveryComp.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2936

C:\Program Files\Bitdefender Agent\DiscoverySrv.exe
"C:\Program Files\Bitdefender Agent\DiscoverySrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3488

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"ProductAgentService.exe" login_silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3744

C:\Program Files\Bitdefender Agent\ProductAgentUI.exe
ProductAgentUI.exe show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:428

C:\Windows\TEMP\bd_D060.tmp\iznD061.tmp
"C:\Windows\TEMP\bd_D060.tmp\iznD061.tmp" /source:web
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BPInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BPInstaller.exe" -install -kitpath="C:\Windows\TEMP\bd_D060.tmp\iznD061.tmp" /source:web
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Program Files\Bitdefender Antivirus Free\kitinstaller\BPInstaller.exe
"C:\Program Files\Bitdefender Antivirus Free\kitinstaller\BPInstaller.exe" -install -kitpath="C:\Windows\TEMP\bd_D060.tmp\iznD061.tmp" /source:web
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

\??\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe
"\\?\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe" avf_get_agent_field --key="globalex" --field_name="lang"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432

C:\Program Files\Bitdefender Antivirus Free\kitinstaller\agentctrl.exe
"C:\Program Files\Bitdefender Antivirus Free\kitinstaller\agentctrl.exe" avf_get_agent_field --key="globalex" --field_name="lang"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Program Files\Bitdefender Antivirus Free\kitinstaller\agentctrl.exe
"C:\Program Files\Bitdefender Antivirus Free\kitinstaller\agentctrl.exe" avf_get_agent_field --key="globalex" --field_name="lang"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:800

\??\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe
"\\?\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe" avf_get_agent_field --key="globalex" --field_name="anon_id"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744

\??\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe
"\\?\c:\program files\bitdefender antivirus free\kitinstaller\agentctrl.exe" avf_add_app --appid="com.bitdefender.avfree" --name="Bitdefender Antivirus Free" --status="disabled" --version="1.0.0.3"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Program Files\Bitdefender Agent\WatchDog.exe
"C:\Program Files\Bitdefender Agent\WatchDog.exe" install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Bitdefender Agent\ProductAgentService.exe

MD5
5a9220526894c7cdef5a8d6a9b9b0bba

SHA1
8e125ecdcf1e4f788f53765951197c0d971f08dd

SHA256
49af181fb49277d1db6c76e30614b776ef182e353e856ec6562f71ad6da224ef

SHA512
4800fd6e1172de6561c49e2fe36a2600a9c85bbf45151a12d0e017e5e540529894abe01fa965c27f57e28f6d490b12346044182ff7f41f0f781f7a4e6d39a098

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

MD5
5a9220526894c7cdef5a8d6a9b9b0bba

SHA1
8e125ecdcf1e4f788f53765951197c0d971f08dd

SHA256
49af181fb49277d1db6c76e30614b776ef182e353e856ec6562f71ad6da224ef

SHA512
4800fd6e1172de6561c49e2fe36a2600a9c85bbf45151a12d0e017e5e540529894abe01fa965c27f57e28f6d490b12346044182ff7f41f0f781f7a4e6d39a098

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

MD5
5a9220526894c7cdef5a8d6a9b9b0bba

SHA1
8e125ecdcf1e4f788f53765951197c0d971f08dd

SHA256
49af181fb49277d1db6c76e30614b776ef182e353e856ec6562f71ad6da224ef

SHA512
4800fd6e1172de6561c49e2fe36a2600a9c85bbf45151a12d0e017e5e540529894abe01fa965c27f57e28f6d490b12346044182ff7f41f0f781f7a4e6d39a098

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

MD5
5a9220526894c7cdef5a8d6a9b9b0bba

SHA1
8e125ecdcf1e4f788f53765951197c0d971f08dd

SHA256
49af181fb49277d1db6c76e30614b776ef182e353e856ec6562f71ad6da224ef

SHA512
4800fd6e1172de6561c49e2fe36a2600a9c85bbf45151a12d0e017e5e540529894abe01fa965c27f57e28f6d490b12346044182ff7f41f0f781f7a4e6d39a098

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

MD5
5a9220526894c7cdef5a8d6a9b9b0bba

SHA1
8e125ecdcf1e4f788f53765951197c0d971f08dd

SHA256
49af181fb49277d1db6c76e30614b776ef182e353e856ec6562f71ad6da224ef

SHA512
4800fd6e1172de6561c49e2fe36a2600a9c85bbf45151a12d0e017e5e540529894abe01fa965c27f57e28f6d490b12346044182ff7f41f0f781f7a4e6d39a098

Download Submit
C:\Program Files\Bitdefender Agent\log.dll

MD5
7010cccbbb1377ee32b978da143914c9

SHA1
1a96b533de59b49903a408273afad40b315e04e7

SHA256
0016743863fa01f760f57f19dc57b0fc037df0a64f33b6c04e5a404186403b8d

SHA512
a67f08aee46395246f6c6b1939fcdda05cd42f1f817629c10428373b17964127a14197837e06e9c2b5b62adeacb69efe457c86f8382db9e3b271441a3818c08a

Download Submit
C:\Program Files\Bitdefender Agent\settings\ProductAgent.json

MD5
ec6988c6ef6e12084dcfef510b478a06

SHA1
88b55420a9ec8c4a6d3e48634e2899776fd0aaa2

SHA256
e1b7760e0875b4d74d98c21afa70494798ffaad796c3f0bb2b1592cadd559508

SHA512
862018320a2e0ef702f276c82cb4cd19f4c18af092a381ba41251291bd0f6ce9c2646732007593531d846978c08ef43a466b0f08a03bd0cc728fce8aa4de5003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_2D95862FBF9F4D39565F4C6134C2CFB4

MD5
1af5f828c323d0d6a618984a3e878493

SHA1
1b73a657109f00125405313e3eac5736e284ff80

SHA256
774fe63b24dc075a5181faeaa797fb605c890783cbefbe7ee28708b42b8b3b00

SHA512
b8492f002cbc3feab3bf90ce646cb2e6e96135b2d5315715f44c2cd18dc42fa1c8f4b3187bc8fd7e462e66c9852191807e1f4550d6f0fdb24a5ebe6159de69eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9

MD5
464e1d56fb87ba173247b0194b5b61a6

SHA1
78395ea897917657b4026689725b2987d1afea84

SHA256
0943cb04c7d61831a667f5c090f7c4f497b7771fb74ebf15523cf5e51bad6186

SHA512
b4b5296d99e25b1b3c9376688240140c799d09b743e7ad647e3531c7919e6df293d3b41ce4ff094f2856171179c6559f3a084766330219966693c9f2ce5cec38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_2D95862FBF9F4D39565F4C6134C2CFB4

MD5
c99a44420f421593106200c01b79c299

SHA1
a2fde177661d3506def1368e20151c8f8350487d

SHA256
fd95b840dcbeb435c54c41537c1164b24fb6cb273235f9a4a5cfc569f82e1431

SHA512
90e7fe22ba24ed920ce4517c5002e5e8525ad4d19c5856ee27f2bef9089567b213e5635068e39cbb10c16cc601c4f8a70ca0556a5a6b7c88bea0780e1e46c565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9

MD5
41ad8dda6fb2adcd6923e1089572b309

SHA1
77468f2b7b636dbb1437d52151768e03cccd8570

SHA256
489a1594c9d0f1186b91162450f928a49063ba7926c9f651bbe5122f219f7d67

SHA512
30a191ce1db5a1d51c7778d142c17e34efe7c7300efa296bdfcbff2beb60ca24c0f2fa6d84d06c5b4b25192c52c09afe46bbbb5781d379e34d4ac1906a70374a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe

MD5
83e5e7729d84dba2334c136a661b8aea

SHA1
1fc0d21ca5eb2af17127cc5ee21c716eaeef3d0d

SHA256
9dca3a6cac000a6f9754a8663a2c4396d771e938191852f01a2f21f81c5a5544

SHA512
c0a1d47bbd226c8d1f8e66becdeb30ef60798e5b0399baa0f692e65918ba8b72324b8f4e0a1e216e23fc0f00d0c9f5a474e73e419167ed858622270ecc0bd0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe

MD5
83e5e7729d84dba2334c136a661b8aea

SHA1
1fc0d21ca5eb2af17127cc5ee21c716eaeef3d0d

SHA256
9dca3a6cac000a6f9754a8663a2c4396d771e938191852f01a2f21f81c5a5544

SHA512
c0a1d47bbd226c8d1f8e66becdeb30ef60798e5b0399baa0f692e65918ba8b72324b8f4e0a1e216e23fc0f00d0c9f5a474e73e419167ed858622270ecc0bd0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe

MD5
3a6b22d6b024c34d6c67cbe5e0227c01

SHA1
e8b6a14853dcfc94e58a5c84e6811b7d68f440aa

SHA256
a5420672893b78be7e1bbc304611647bca8d72b9f7107fb0ad5b143ca46ae351

SHA512
1799743763c87d8df964b435bb62eb8edee167b529d0181c614bca3ca4ffbea4cb79453590382c00caadc75303ebe194ab126ad6e1695686808bae12e9752020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe

MD5
3a6b22d6b024c34d6c67cbe5e0227c01

SHA1
e8b6a14853dcfc94e58a5c84e6811b7d68f440aa

SHA256
a5420672893b78be7e1bbc304611647bca8d72b9f7107fb0ad5b143ca46ae351

SHA512
1799743763c87d8df964b435bb62eb8edee167b529d0181c614bca3ca4ffbea4cb79453590382c00caadc75303ebe194ab126ad6e1695686808bae12e9752020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\deploy.dll

MD5
c6bb119f9e0bee672fcecc1f8c20ee12

SHA1
8585a98ab579e643e7c8ce06eec8cde8923ab880

SHA256
ac92d5893312504a6c7d9bf7c9ed6e2ae8f66050813f44211e6ee7dc5d7d6240

SHA512
490e63c95fe7082e4a54e1bfc0ae6f1ad7b3b66b73219c5cdc56ff2e3ed0f057224e934abe3b7ff0fd34f1551b7e3d3f04c0e1b3fab903b5b4ad984cf3838b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

MD5
025f39dfb155d7e1a284fba5afb0433d

SHA1
d1f7c8daf18aa98384db663836d6ca8e97a0c9cb

SHA256
cc42be297f211d386815b43fd9cbaf1224b2bcd991922704709d1607e9ad1231

SHA512
1d359081899cb529458013dd4d866c098721bed9c6b35ea99a3b925142df44b2c0e656277d7567a82ab6fc2e9d64ce87924dfa08d0072f1dbfd98adb499ef7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe

MD5
9df339b85c3b946d83478316f0498f0c

SHA1
a98b48fc668c1848f20772079ea3b581761a5000

SHA256
a53fd61ef314400f2c42accd09536712278a19e9e4e06872d7b8a5f52e5197bb

SHA512
bbe86d0db42dcfd296aa7a142350882c0ef4366116027567e62484c2062cdb075dbf5599c68cb641ad26c7727ec57064d7a902e62c4c83f454f3282611d28a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5

MD5
4a98144e1d8ef3216752dad96163e291

SHA1
8bbee3cb7a5e485b053a6b353539eef8a6df5499

SHA256
d2eb0168f319a63f16063f3c3d5eed25aaa909af972d80916bd9498920738b3d

SHA512
2151bf4778b8340dac6c7ec10e406a310ecca064130f6ab3c6878250268f0af03dfdc2aba609995c6bc598243cc19c9bfc7ad72ec3cb50fed42c182da9088dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdec.dll

MD5
7a8afacf6cc99e0759b3f8c6a5ac4260

SHA1
bf860e35136aac48aa69f45f0f7f6ff1efac4f8f

SHA256
ea1c19bee7e5736e2d1b28253be1f386e14047bea30a88b9995f71b22143e107

SHA512
9bd37b31d0c086349b236d3aea9c64b6564af363426a89e25f720200106afae3b40fd12142efe0e1bd165aadf283e82cd59269abd132722394294c0d093f1898

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdnc.client_id

MD5
d9ece779fd3a8647e1556499676f7c23

SHA1
4831f5e80dd5ba10c6dba085a3b7b1eefa4b7487

SHA256
59d0581145893b38a7725886f659f2de0936af9cb4bde0ff535499b1fed2a0b6

SHA512
d06303625f8b500e72e520b93d109658c61c4ee7221a95fae01ce72c6ec299b8946fb75712d13317024efe149cd8940930293b372b1278ef8140ae7d38315380

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll

MD5
5c78f5ff3da68d2e183ab0a70732a603

SHA1
d8b5b929a91f08e7370351f4953d0a79b981d298

SHA256
3d5bd5b7bbe3acb9fe4864879f91de4dcc44be69bfdaea7d9535940d365c91b2

SHA512
19edf3e927efbf7be5866622bce182e6c8ca020977938aa3fd2fe209e40dd12ad2932ef2564aa6b3d65720105c173481c2827114bf73a32786b2a3978800bfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini

MD5
96b5e37e6494da2a8f09e98df5c58004

SHA1
dbbdd9d6dd0a685e6841efea364b547ac2172443

SHA256
dd5c7a764b9fea6f8c458d9b669b5764c46284dea68ce52b43136c4812d27fd7

SHA512
c35518b34e91dba5424e790398d9d1970bfa8baa99b164fad41b0f52b14b633e5846730a320d31f8b95d5fba9519e6a256915a71db412cc07411f6337f50610c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini.md5

MD5
b0305e5ee72ba268d281996038a6ee57

SHA1
80b974606576ac0c79cc5ba4364ca883e3644728

SHA256
5ace615a54dc4c1b094e7678b4793f15ca7f413b05985c433135e132e0137e96

SHA512
a09c61e5df2b9df0512dcc1227e3d9bd5b28e029eff6fe9da5029ffbff39548e3e5df67ca2a6b9aee05d4d073ecacadee3f6bf8b6488c72f44f66322610d83e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\data\params.json

MD5
0ea43d5f01d5312e31eda1130edf01de

SHA1
15071c48eeb1031ae5380f076fd33488920bf66e

SHA256
93aa4de5176d51e9618c44991677765203c7326679e2deeaefe19129a9d60c86

SHA512
cf14d54c2fc9d5e4015ae979abfbc3201b2b7c5b4eef29f58a3cd534328d4226cc0024aea6c580e85cf266a1760f11384fb5eecfde8c3d8359b2fdbf077dcc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe

MD5
c6bae9e792730109af8d49151a95993d

SHA1
3616cca9230ac0374c32bc093d4de0b15104e052

SHA256
1534eb7212c7287c12706be08a9f6b85c8ebe87502ea086fcee0f86223d3be1c

SHA512
45c6d71baa4349a4c36231dfd32421d8e3013d9a5b4bb21c403e0641a34a9b7f0ec8b429c3964535fbc1714eea164fb962727e7528f824934db940742470b46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe

MD5
c6bae9e792730109af8d49151a95993d

SHA1
3616cca9230ac0374c32bc093d4de0b15104e052

SHA256
1534eb7212c7287c12706be08a9f6b85c8ebe87502ea086fcee0f86223d3be1c

SHA512
45c6d71baa4349a4c36231dfd32421d8e3013d9a5b4bb21c403e0641a34a9b7f0ec8b429c3964535fbc1714eea164fb962727e7528f824934db940742470b46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ar-SA.dll

MD5
b0b5b4962437b7c92e40a1586b7b9b26

SHA1
085d7932ee5ec28ee8b372ba8a66d6943db1b64b

SHA256
65f84eb201b4131cfae29c1fe6ae4da6bcac1aea92b5549b4778921ff536e3b3

SHA512
a8be78f4c3fa6df39bd62dd3f44699494562f01bc5252bf3a408421f4e100f6558f75cf90dc0445d6cc526063676c814183d9f8ae35c0662f48b1406af068e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\cs-CZ.dll

MD5
dd77c5ead52525733decdb387c1452c4

SHA1
806cd132ca23a308ab01be444154f928b104c324

SHA256
e48eb527ee2a32f8a249edceb1a66f055bbf573e5520e3959ea6e1ca5d48c4e5

SHA512
6d3687da957873f820c447d4f2b9dc54a865f7be7a34fc651eeb2d59b9d99ceb3ea9a4f0ba4eeda96dd7f046edc3e05add711a5d61fa5a4169eff84239935d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\de-DE.dll

MD5
54f4801c9d3680c87efc7dedc117f5ff

SHA1
ccfdd29830f81938289403f2fd969043f3da0dad

SHA256
cf4f1c1be9452bcd8ca744dad36f3950b48d3bedbdfc6c5415ef867a954890c2

SHA512
fa4f9e3233323a42d8942d12337297f1b407850884e9e0b94a78d6e91e942bbf4bf549542404523f00e10defcfe37c2cd6ee3ae48db4c1367b9ffbf66d6c2a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\el-GR.dll

MD5
49bd8765f02c8f3f0c8e7652c18c647a

SHA1
23a4785f31697bee56dfe8aca113641262075756

SHA256
5e812b1522d9e7674b5d6e41f383d842c2460f9839e3d76231795146e62ec9c6

SHA512
a95671db151e9c67fd032d559135f73ee89fb81b10fc1a2d63b2f197a385faca78f99b696da12addfe75b5a5357c8adc4c0c2c0d49a22602122340c4cd1de40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\en-us.dll

MD5
b12cc9fdccd76f28de9baf993d97dfc0

SHA1
44615f21aa5fde260b4446a04fa020fb76454f27

SHA256
d5d2f7820aac93cb02579b500fd1fe256e163e5f6aba63f604717f6055a5dd51

SHA512
134953296fca2c76ffbaaa11b16afb719d8c613f780d1367fba7ac4da46fdefcaab8620c0ecf1c2b73c7c843060b87f48dbabaf9814d81866aada4cfeddaa1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\es-ES.dll

MD5
544c2ef53c8829b6bb7bf85b8e0b95a9

SHA1
6addbd783b37b3f45666426a6afd5e166606a420

SHA256
e4bd63456b152d1879762514807b2a5e9b47a8be23a9aa23d18fdc680824f63b

SHA512
9f621059dc9e6a1990062027703c194843a8d91f1d85c37daa8d792a8def1d6f14d2c95382b0fa118d7e58775f4fddaade88afdcee3c5a468f5bf2625847be54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\fr-FR.dll

MD5
7d2fd8aaebccd28a242120fc54ee5aec

SHA1
d060f15468611dfebcd1d4665099f2f419b53924

SHA256
b8b36c05b245323a447aea030979c441b22c3f3274a265e79c69661800257d1e

SHA512
00058627b6f3516a0e49645ca0f571aaa96ebed7ad01406a28c8ec343994034663ea16b3b9bbbe4134b0b4a5762d0c43e863fb5632659bebe7fef290f0eda5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\hu-HU.dll

MD5
e332695c7bd1629dd8ed11ec65d2e6ab

SHA1
f42b1277a196eeac7e9a03be00aaba30428f9b31

SHA256
d9a0faad9032b8fc40777ff032f4af71afe264d4ccf581a4a8990e38fd516a95

SHA512
989bb3d8b677564fa70a249fa2c6f63836d4cad1fd3755366c886061077b661b1efc2c31f53b3c26018efca8b0914d6eb3f6e2ad602caa26cb55ab2f741ee2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\it-IT.dll

MD5
ae26b3a6db8de0310557fb6cbfd5845c

SHA1
5b6c0a2bbb1feebe5ca053830233df4158960d39

SHA256
11f1e8d37c8da5b717dcd4a4aefc0bb26a874b1478404c3f0aaf0d8f57d68100

SHA512
5281870a37759777a8f182fc828a9acc08ebe53bb2c607f4f69b1dc5d06e774db93204001ac50765acfa70b77b8847cb9a9f56d2ff1d93ff86a525d85efa9501

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ja-JP.dll

MD5
a404969e2138bd0549f733a7ec88533e

SHA1
5c78f9c5f560af47127c516e349d23c36b09ddc9

SHA256
5ade8211fe7ad65e96e706c420f3a7c866e6429ad3e1d6e70b827d349feb460a

SHA512
813c0289ba5198044626e173ebcd787ff7ab56d95a889f69c67049918d83dfcf7572a2d35e89bcf279b56e696a69d401dd63dc13e883b00ba527e6426b4486a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ko-KR.dll

MD5
4b04a0844541fde5983a746eaf83e5f4

SHA1
093b840007f6ccdf26b8c38dcb84effff88a3331

SHA256
91b112bfad92e037b336df927c8ec3ad20fb3ad1112d2e22aae190fa57034750

SHA512
e0b5b72010e23f58a4a69f298963be785fe1f487cc98d67485372d8abfcc9d678a48a504f5412997e1b0c6d17afc79b374a6eec412054e047f4f0373cfe25405

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll

MD5
7ad4aad18ec0256c4433175574a52e99

SHA1
3e81d026748e380a6f0abd5ae16c8611a48b264f

SHA256
09bd66be6b0102a045941204411d5fda2d840f2f0fafb9991a5b5425babf6f7f

SHA512
287fb50360f89bcd18f3d7cf44d39281c23fa55ac3e0dcc645b44b478789c07d9b7592eed17408028fe8ff4e06929ed8bbb09c5e556570de6a36b78799027465

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\nl-NL.dll

MD5
c7d5e436c8b90d233a15badeabcda8f9

SHA1
6478d008378e8cf46c779fcbc8a643eefd08d3a7

SHA256
3f4b8a77f529483265199d1804eb0ae770ee18bcf3dd2d176ce405cd77f3749c

SHA512
18c91b2c0ed4f7838d5e18bd4c710b2f269eddac0ee42f41143dcf1186aa736b35592605be7cdb6df6a2d9fd7bbdf8f069af9b3d938d09c93fc70ddac0f57599

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\productagentdp.dll

MD5
15bf97f8068d55cf2e10d3ad4249acaf

SHA1
bc728ed18612228f5615b31b70c2aee1c998f4a6

SHA256
91c30106ba4dcbe94b157b230942adaf5e9c41963aa40af61b599a8d08d79287

SHA512
6548f7be052e9ffdbbe3d3cbed64a2ce047b9de36f9d4ba3354ca9a159a2d896d778b92ea5d32cf8d4353da9eafaa7fd09c6d2c12bdefcd0067b89c899cf7683

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll

MD5
3f0d0f2e9fbe0e7ce13c32ba5ab2d97f

SHA1
fbc93adf50682e997c90828f1a74390867942a18

SHA256
34ad9b28ec210b66a2459faa0f75436a152ef1011fe52a3321cf3d8b1c8ba80b

SHA512
67cbf9873104072b432dec68742b572818eaff8e9fb9921d3c2d9587b765cbaa0deab139e97fa8a9308b79a0c944ce66858d6175bb40c66491f6a09131a916c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe

MD5
9897e1c9764cdf61e47cf6be86ac7553

SHA1
65dc4367143ef1cfe4743fc0375408f5c3aedab6

SHA256
3812b6e6804aa33959a8e4249f9a43549affbb0ba31dd6781f32eecca290dc50

SHA512
b05c58b04d466a3575b46967c244fa90220cdfd713d8e5cb2f07cd1af1e1212645b8ee901ff350c109d93da88f272f2b85b3e999cae82e4dc9ed705893279ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe

MD5
9897e1c9764cdf61e47cf6be86ac7553

SHA1
65dc4367143ef1cfe4743fc0375408f5c3aedab6

SHA256
3812b6e6804aa33959a8e4249f9a43549affbb0ba31dd6781f32eecca290dc50

SHA512
b05c58b04d466a3575b46967c244fa90220cdfd713d8e5cb2f07cd1af1e1212645b8ee901ff350c109d93da88f272f2b85b3e999cae82e4dc9ed705893279ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5

MD5
532fb2cc2e2cedee12a4b7f8f8beea34

SHA1
7d31c5c7d4469c6877d4fa309211380b15ac98c5

SHA256
ca68a86c3ca580dadb174e58185a67d929d7dc3744961070ddd9e1dc6cd03cfe

SHA512
559511f291a2e9134a62b26048667985ea0cea9710ea02de7e2770ee996ff461aad3c0dbca08a8ef7d439b6fe5eafe774c3f6c457b049e5ef71256f811ead52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
\Program Files\Bitdefender Agent\log.dll

MD5
7010cccbbb1377ee32b978da143914c9

SHA1
1a96b533de59b49903a408273afad40b315e04e7

SHA256
0016743863fa01f760f57f19dc57b0fc037df0a64f33b6c04e5a404186403b8d

SHA512
a67f08aee46395246f6c6b1939fcdda05cd42f1f817629c10428373b17964127a14197837e06e9c2b5b62adeacb69efe457c86f8382db9e3b271441a3818c08a

Download Submit
\Program Files\Bitdefender Agent\log.dll

MD5
7010cccbbb1377ee32b978da143914c9

SHA1
1a96b533de59b49903a408273afad40b315e04e7

SHA256
0016743863fa01f760f57f19dc57b0fc037df0a64f33b6c04e5a404186403b8d

SHA512
a67f08aee46395246f6c6b1939fcdda05cd42f1f817629c10428373b17964127a14197837e06e9c2b5b62adeacb69efe457c86f8382db9e3b271441a3818c08a

Download Submit
\Program Files\Bitdefender Agent\log.dll

MD5
7010cccbbb1377ee32b978da143914c9

SHA1
1a96b533de59b49903a408273afad40b315e04e7

SHA256
0016743863fa01f760f57f19dc57b0fc037df0a64f33b6c04e5a404186403b8d

SHA512
a67f08aee46395246f6c6b1939fcdda05cd42f1f817629c10428373b17964127a14197837e06e9c2b5b62adeacb69efe457c86f8382db9e3b271441a3818c08a

Download Submit
\Program Files\Bitdefender Agent\log.dll

MD5
7010cccbbb1377ee32b978da143914c9

SHA1
1a96b533de59b49903a408273afad40b315e04e7

SHA256
0016743863fa01f760f57f19dc57b0fc037df0a64f33b6c04e5a404186403b8d

SHA512
a67f08aee46395246f6c6b1939fcdda05cd42f1f817629c10428373b17964127a14197837e06e9c2b5b62adeacb69efe457c86f8382db9e3b271441a3818c08a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\ProductAgentDP.dll

MD5
15bf97f8068d55cf2e10d3ad4249acaf

SHA1
bc728ed18612228f5615b31b70c2aee1c998f4a6

SHA256
91c30106ba4dcbe94b157b230942adaf5e9c41963aa40af61b599a8d08d79287

SHA512
6548f7be052e9ffdbbe3d3cbed64a2ce047b9de36f9d4ba3354ca9a159a2d896d778b92ea5d32cf8d4353da9eafaa7fd09c6d2c12bdefcd0067b89c899cf7683

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

MD5
025f39dfb155d7e1a284fba5afb0433d

SHA1
d1f7c8daf18aa98384db663836d6ca8e97a0c9cb

SHA256
cc42be297f211d386815b43fd9cbaf1224b2bcd991922704709d1607e9ad1231

SHA512
1d359081899cb529458013dd4d866c098721bed9c6b35ea99a3b925142df44b2c0e656277d7567a82ab6fc2e9d64ce87924dfa08d0072f1dbfd98adb499ef7c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

MD5
025f39dfb155d7e1a284fba5afb0433d

SHA1
d1f7c8daf18aa98384db663836d6ca8e97a0c9cb

SHA256
cc42be297f211d386815b43fd9cbaf1224b2bcd991922704709d1607e9ad1231

SHA512
1d359081899cb529458013dd4d866c098721bed9c6b35ea99a3b925142df44b2c0e656277d7567a82ab6fc2e9d64ce87924dfa08d0072f1dbfd98adb499ef7c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

MD5
025f39dfb155d7e1a284fba5afb0433d

SHA1
d1f7c8daf18aa98384db663836d6ca8e97a0c9cb

SHA256
cc42be297f211d386815b43fd9cbaf1224b2bcd991922704709d1607e9ad1231

SHA512
1d359081899cb529458013dd4d866c098721bed9c6b35ea99a3b925142df44b2c0e656277d7567a82ab6fc2e9d64ce87924dfa08d0072f1dbfd98adb499ef7c5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\en-US.dll

MD5
b12cc9fdccd76f28de9baf993d97dfc0

SHA1
44615f21aa5fde260b4446a04fa020fb76454f27

SHA256
d5d2f7820aac93cb02579b500fd1fe256e163e5f6aba63f604717f6055a5dd51

SHA512
134953296fca2c76ffbaaa11b16afb719d8c613f780d1367fba7ac4da46fdefcaab8620c0ecf1c2b73c7c843060b87f48dbabaf9814d81866aada4cfeddaa1d5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\en-US.dll

MD5
b12cc9fdccd76f28de9baf993d97dfc0

SHA1
44615f21aa5fde260b4446a04fa020fb76454f27

SHA256
d5d2f7820aac93cb02579b500fd1fe256e163e5f6aba63f604717f6055a5dd51

SHA512
134953296fca2c76ffbaaa11b16afb719d8c613f780d1367fba7ac4da46fdefcaab8620c0ecf1c2b73c7c843060b87f48dbabaf9814d81866aada4cfeddaa1d5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\en-US.dll

MD5
b12cc9fdccd76f28de9baf993d97dfc0

SHA1
44615f21aa5fde260b4446a04fa020fb76454f27

SHA256
d5d2f7820aac93cb02579b500fd1fe256e163e5f6aba63f604717f6055a5dd51

SHA512
134953296fca2c76ffbaaa11b16afb719d8c613f780d1367fba7ac4da46fdefcaab8620c0ecf1c2b73c7c843060b87f48dbabaf9814d81866aada4cfeddaa1d5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\en-US.dll

MD5
b12cc9fdccd76f28de9baf993d97dfc0

SHA1
44615f21aa5fde260b4446a04fa020fb76454f27

SHA256
d5d2f7820aac93cb02579b500fd1fe256e163e5f6aba63f604717f6055a5dd51

SHA512
134953296fca2c76ffbaaa11b16afb719d8c613f780d1367fba7ac4da46fdefcaab8620c0ecf1c2b73c7c843060b87f48dbabaf9814d81866aada4cfeddaa1d5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll

MD5
7ad4aad18ec0256c4433175574a52e99

SHA1
3e81d026748e380a6f0abd5ae16c8611a48b264f

SHA256
09bd66be6b0102a045941204411d5fda2d840f2f0fafb9991a5b5425babf6f7f

SHA512
287fb50360f89bcd18f3d7cf44d39281c23fa55ac3e0dcc645b44b478789c07d9b7592eed17408028fe8ff4e06929ed8bbb09c5e556570de6a36b78799027465

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll

MD5
7ad4aad18ec0256c4433175574a52e99

SHA1
3e81d026748e380a6f0abd5ae16c8611a48b264f

SHA256
09bd66be6b0102a045941204411d5fda2d840f2f0fafb9991a5b5425babf6f7f

SHA512
287fb50360f89bcd18f3d7cf44d39281c23fa55ac3e0dcc645b44b478789c07d9b7592eed17408028fe8ff4e06929ed8bbb09c5e556570de6a36b78799027465

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll

MD5
3f0d0f2e9fbe0e7ce13c32ba5ab2d97f

SHA1
fbc93adf50682e997c90828f1a74390867942a18

SHA256
34ad9b28ec210b66a2459faa0f75436a152ef1011fe52a3321cf3d8b1c8ba80b

SHA512
67cbf9873104072b432dec68742b572818eaff8e9fb9921d3c2d9587b765cbaa0deab139e97fa8a9308b79a0c944ce66858d6175bb40c66491f6a09131a916c1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

MD5
ae9c5338d8495eea829e79799cea0357

SHA1
3491d6c2ce04f49b92b3eb424148432fb179bcdb

SHA256
799232852e8813bcbf846e3d78abfbddf62eb59a639f0a74350a738204e5ab91

SHA512
452c39a89023e840a095d2ef754712d61e1c02e5f7f1ab52958e2ee4359f06f9f3055901ddf9318c0fe771e31a62c354f6bbcd8065c61ff4563f71afc3660d46

Download Submit
memory/428-205-0x0000000075100000-0x00000000751D0000-memory.dmp

Filesize
832KB

Download
memory/428-200-0x0000000000000000-mapping.dmp

Download
memory/428-203-0x0000000075100000-0x00000000751D0000-memory.dmp

Filesize
832KB

Download
memory/428-201-0x000000006D100000-0x000000006D110000-memory.dmp

Filesize
64KB

Download
memory/432-213-0x0000000000000000-mapping.dmp

Download
memory/744-216-0x0000000000000000-mapping.dmp

Download
memory/776-206-0x0000000000000000-mapping.dmp

Download
memory/800-215-0x0000000000000000-mapping.dmp

Download
memory/1144-170-0x0000000000000000-mapping.dmp

Download
memory/1344-173-0x0000000000000000-mapping.dmp

Download
memory/1516-214-0x0000000000000000-mapping.dmp

Download
memory/1572-134-0x0000000000000000-mapping.dmp

Download
memory/1996-121-0x0000000000000000-mapping.dmp

Download
memory/1996-124-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1996-123-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2060-217-0x0000000000000000-mapping.dmp

Download
memory/2088-167-0x0000000000000000-mapping.dmp

Download
memory/2168-207-0x0000000000000000-mapping.dmp

Download
memory/2168-209-0x00007FFA25A40000-0x00007FFA25AEE000-memory.dmp

Filesize
696KB

Download
memory/2168-208-0x00007FF9E5A40000-0x00007FF9E5A50000-memory.dmp

Filesize
64KB

Download
memory/2204-193-0x0000000000000000-mapping.dmp

Download
memory/2204-194-0x000000006D100000-0x000000006D110000-memory.dmp

Filesize
64KB

Download
memory/2252-157-0x0000000000000000-mapping.dmp

Download
memory/2936-196-0x0000000000000000-mapping.dmp

Download
memory/3028-210-0x0000000000000000-mapping.dmp

Download
memory/3028-211-0x00007FF9E5A40000-0x00007FF9E5A50000-memory.dmp

Filesize
64KB

Download
memory/3028-212-0x00007FFA25A40000-0x00007FFA25AEE000-memory.dmp

Filesize
696KB

Download
memory/3164-219-0x000000006D100000-0x000000006D110000-memory.dmp

Filesize
64KB

Download
memory/3164-218-0x0000000000000000-mapping.dmp

Download
memory/3328-195-0x0000000075100000-0x00000000751D0000-memory.dmp

Filesize
832KB

Download
memory/3488-197-0x0000000000000000-mapping.dmp

Download
memory/3744-199-0x0000000000000000-mapping.dmp

Download
memory/3776-115-0x0000000000000000-mapping.dmp

Download
memory/3776-118-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/3776-117-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4072-139-0x000000006D100000-0x000000006D110000-memory.dmp

Filesize
64KB

Download
memory/4072-136-0x0000000000000000-mapping.dmp

Download