ba580f566eff785f741c99a84877b6e867b8805210c91205b5bcd21a59fa7aeb

Resubmissions

08-08-2024 23:22

240808-3c2frswcmh 6

08-08-2024 18:12

240808-wte6jaxanr 10

Analysis

max time kernel
1800s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bitdefender_avfree.exe
Size

14.1MB
MD5

fd1e2d74ee69d385ffe392de738a09a8
SHA1

cffdc38420d50f6d2672fc5c9c3267f12b8d08b8
SHA256

ba580f566eff785f741c99a84877b6e867b8805210c91205b5bcd21a59fa7aeb
SHA512

94352897ab620e1970ab895bc5372ddf188ef2d2878965b2ff54efbfc61ff5a15019fa6f96bebc7142a997ce625c6d6e3685aa972fbff2c18627fc7fc0e55890
SSDEEP

393216:eVyaXw17m887vq+vb7fmBWASpNuGNvHqmbeQ:yyaA17mfq+vb6WAooixf

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	bitdefender_avfree.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	agent_launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	hpi55B.tmp

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_8A3EB3B0E837053838683939C2047254	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_8A3EB3B0E837053838683939C2047254	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ProductAgentService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\sciter.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\down-arrow.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icons\camera-popup-icon.svg	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\temp\params.json	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\es-ES	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\sv-SE\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\icon-win.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\icon_informative.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\x64\log.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\setuppackage.exe	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\bdicon.ico	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\icon-gg.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\loader.png	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\trufos.cat	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\tr-TR\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\vi-VN\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\logo-shadow.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\bdnc.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\ko-KR.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\ru-RU	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\status_red.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\html\Agent\login2_error.html	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\minimize.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\success.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\minimize_hover.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\ProductAgentUI.exe	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\pl-PL.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\th-TH.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\open.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\close.svg	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\lang\ko-KR.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\bdch_bdec.ini	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\settings\UPNPService.xml	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\show-pass-checked.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\bdui_progress_bgr_black.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\load_medium.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\storage\modules_cache.json	ProductAgentService.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\iservconfig.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\bitdefender_logo.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\en-US.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\ru-RU.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.ini	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.ini.md5	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\bitdefender_logo.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\settings	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\bdnc.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\tr-TR.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\nl-NL\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\pl-PL\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\ui	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdredline.conf	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\fr-FR.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\css\main.ui.css	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\common\systray\bdicon.ico	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\close_hover.svg	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\lang\cs-CZ.txtui	installer.exe
File created	C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\unrar.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\pt-PT\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\settings\ProductAgent.json	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\html\Agent	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icon-warn.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\bdnc.client_id	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\close.svg	installer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Executes dropped EXE 18 IoCs

pid	Process
2384	agent_launcher.exe
2688	bddeploy.exe
2132	setuppackage.exe
2832	installer.exe
3788	ProductAgentService.exe
4940	bdredline.exe
1220	ProductAgentService.exe
404	ProductAgentService.exe
2436	ProductAgentService.exe
4500	ProductAgentService.exe
468	DiscoverySrv.exe
968	DiscoverySrv.exe
964	ProductAgentService.exe
2144	ProductAgentUI.exe
1632	WatchDog.exe
4916	hpi55B.tmp
1736	installer.exe
4252	Installer.exe

Loads dropped DLL 64 IoCs

pid	Process
2832	installer.exe
2832	installer.exe
2832	installer.exe
2832	installer.exe
2832	installer.exe
3788	ProductAgentService.exe
3788	ProductAgentService.exe
2832	installer.exe
2832	installer.exe
4940	bdredline.exe
1220	ProductAgentService.exe
1220	ProductAgentService.exe
1220	ProductAgentService.exe
1220	ProductAgentService.exe
404	ProductAgentService.exe
404	ProductAgentService.exe
404	ProductAgentService.exe
404	ProductAgentService.exe
2436	ProductAgentService.exe
2436	ProductAgentService.exe
2832	installer.exe
2436	ProductAgentService.exe
2436	ProductAgentService.exe
2832	installer.exe
2436	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
468	DiscoverySrv.exe
468	DiscoverySrv.exe
1508	regsvr32.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
968	DiscoverySrv.exe
968	DiscoverySrv.exe
968	DiscoverySrv.exe
2832	installer.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
964	ProductAgentService.exe
964	ProductAgentService.exe
964	ProductAgentService.exe
964	ProductAgentService.exe
2144	ProductAgentUI.exe
2144	ProductAgentUI.exe
2144	ProductAgentUI.exe
2144	ProductAgentUI.exe
1632	WatchDog.exe
1632	WatchDog.exe
1736	installer.exe
1736	installer.exe
1736	installer.exe
1736	installer.exe
1736	installer.exe
1736	installer.exe
1736	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bddeploy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscoverySrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpi55B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setuppackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WatchDog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdredline.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitdefender_avfree.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agent_launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscoverySrv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProductAgentService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProductAgentService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender\Bdch	bdredline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender	bdredline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender\Bdch\productagentui	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ProductAgentService.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266\\DiscoveryComp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID\ = "{CB23A858-ED47-425B-AAD2-D809C11E1DA6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ = "UPNPDevice Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\ = "ProductAgent UPNP Service Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266\\DiscoveryComp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID\ = "ProductAgent.UPNPDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe
4500	ProductAgentService.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	installer.exe
Token: 35	2832	installer.exe
Token: 35	2832	installer.exe
Token: 35	2832	installer.exe
Token: SeRestorePrivilege	2832	installer.exe
Token: SeDebugPrivilege	4500	ProductAgentService.exe
Token: SeDebugPrivilege	4500	ProductAgentService.exe
Token: SeDebugPrivilege	4500	ProductAgentService.exe
Token: SeDebugPrivilege	4500	ProductAgentService.exe
Token: SeDebugPrivilege	4252	Installer.exe
Token: SeSecurityPrivilege	4252	Installer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	installer.exe
4252	Installer.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2384	4928	bitdefender_avfree.exe	86
PID 4928 wrote to memory of 2384	4928	bitdefender_avfree.exe	86
PID 4928 wrote to memory of 2384	4928	bitdefender_avfree.exe	86
PID 2384 wrote to memory of 2688	2384	agent_launcher.exe	88
PID 2384 wrote to memory of 2688	2384	agent_launcher.exe	88
PID 2384 wrote to memory of 2688	2384	agent_launcher.exe	88
PID 2688 wrote to memory of 2132	2688	bddeploy.exe	89
PID 2688 wrote to memory of 2132	2688	bddeploy.exe	89
PID 2688 wrote to memory of 2132	2688	bddeploy.exe	89
PID 2688 wrote to memory of 2832	2688	bddeploy.exe	90
PID 2688 wrote to memory of 2832	2688	bddeploy.exe	90
PID 2688 wrote to memory of 2832	2688	bddeploy.exe	90
PID 2832 wrote to memory of 3788	2832	installer.exe	91
PID 2832 wrote to memory of 3788	2832	installer.exe	91
PID 2832 wrote to memory of 3788	2832	installer.exe	91
PID 2832 wrote to memory of 1220	2832	installer.exe	94
PID 2832 wrote to memory of 1220	2832	installer.exe	94
PID 2832 wrote to memory of 1220	2832	installer.exe	94
PID 2832 wrote to memory of 404	2832	installer.exe	95
PID 2832 wrote to memory of 404	2832	installer.exe	95
PID 2832 wrote to memory of 404	2832	installer.exe	95
PID 2832 wrote to memory of 2436	2832	installer.exe	96
PID 2832 wrote to memory of 2436	2832	installer.exe	96
PID 2832 wrote to memory of 2436	2832	installer.exe	96
PID 4500 wrote to memory of 468	4500	ProductAgentService.exe	98
PID 4500 wrote to memory of 468	4500	ProductAgentService.exe	98
PID 4500 wrote to memory of 468	4500	ProductAgentService.exe	98
PID 468 wrote to memory of 1508	468	DiscoverySrv.exe	99
PID 468 wrote to memory of 1508	468	DiscoverySrv.exe	99
PID 468 wrote to memory of 1508	468	DiscoverySrv.exe	99
PID 4500 wrote to memory of 968	4500	ProductAgentService.exe	100
PID 4500 wrote to memory of 968	4500	ProductAgentService.exe	100
PID 4500 wrote to memory of 968	4500	ProductAgentService.exe	100
PID 4500 wrote to memory of 964	4500	ProductAgentService.exe	103
PID 4500 wrote to memory of 964	4500	ProductAgentService.exe	103
PID 4500 wrote to memory of 964	4500	ProductAgentService.exe	103
PID 4500 wrote to memory of 2144	4500	ProductAgentService.exe	104
PID 4500 wrote to memory of 2144	4500	ProductAgentService.exe	104
PID 4500 wrote to memory of 2144	4500	ProductAgentService.exe	104
PID 4500 wrote to memory of 1632	4500	ProductAgentService.exe	108
PID 4500 wrote to memory of 1632	4500	ProductAgentService.exe	108
PID 4500 wrote to memory of 1632	4500	ProductAgentService.exe	108
PID 4500 wrote to memory of 4916	4500	ProductAgentService.exe	107
PID 4500 wrote to memory of 4916	4500	ProductAgentService.exe	107
PID 4500 wrote to memory of 4916	4500	ProductAgentService.exe	107
PID 4916 wrote to memory of 1736	4916	hpi55B.tmp	109
PID 4916 wrote to memory of 1736	4916	hpi55B.tmp	109
PID 1736 wrote to memory of 4252	1736	installer.exe	110
PID 1736 wrote to memory of 4252	1736	installer.exe	110

C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe
"C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3788
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1220
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2436

C:\Program Files\Bitdefender Agent\redline\bdredline.exe
"C:\Program Files\Bitdefender Agent\redline\bdredline.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4940

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1508
- C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:968
- C:\Program Files\Bitdefender Agent\ProductAgentService.exe
  "ProductAgentService.exe" login_silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2144
- C:\Windows\TEMP\bd_55A.tmp\hpi55B.tmp
  "C:\Windows\TEMP\bd_55A.tmp\hpi55B.tmp" /source:web /attach
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe" /kitArchive
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\Installer.exe
      "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931\Installer.exe" /attach /source:web /setup-folder:"CL-27-79C1C6DC-7FFA-4809-9643-C1A4246C6931" /step=new_install
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4252
- C:\Program Files\Bitdefender Agent\27.0.1.266\WatchDog.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\WatchDog.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgent.dll

Filesize
1.6MB

MD5
040085a581765d2e45821d944e60d64f

SHA1
ebb4c62842a323d06274d4cab99fd51044412c27

SHA256
efcc3b7457195adb080986525b34cda9e0d5a3582e953f4d2733257039b40db8

SHA512
adb5ba2d2e2c518296a73d0b6c2ded9f3ae8a84f250f7180c4bf833093709fe0cd30ea10c4d2cecb392f9992973a5f707884d9bf6506e84b9c379516a1b60e6f

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdch.dll

Filesize
1.7MB

MD5
3e42b901cb1c89e5994649703aa27d09

SHA1
2df41dc5b36165fa2d3d02f2e5eaed6e33f435b8

SHA256
3431e5ae5302dc04aecd77b1e52c2783c316a32e90349a8c418fb0e16e53a660

SHA512
e7ce58642f32bfcedd787d4c512945d2ec0ee445a9a65ede932196ea87395812729dc3fdb0a22fa601ccb73a9372385b8bdc844f65ba61748175213e7f838b64

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdch.json

Filesize
1KB

MD5
fcb25a197b00543ba014b9ac162b1bc4

SHA1
487710a89f899ce4122918b10f75b958d3b09e56

SHA256
79609aedd0caadd24141e7f118a8814d888e665bf8fadc277c5d912466a9765a

SHA512
df626b86e0db8a693cf4d59be468a37a9ed48aa70fdd5170d9b640b04ebeadb0f9c536ca752052e30403d1e0a0282d96b9d65d852bd393f5a8282eb9c039661c

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdec.dll

Filesize
508KB

MD5
e2a0334684b05bf05a953b80a4832d20

SHA1
d29dec0042c65ac02c411e4caed37a5e1aa84d5b

SHA256
7dedb34158f800166567887c7a007a85eca0be379d20d51da3230f66c6b094c0

SHA512
0d486947d1c87ee632930afb49dae1061bee5b271e16a419c9e37a92c7083509de3e8980a73f8a9f2724421612f2cb9d33ea4156ab5c3afa34e4a98fed84ea92

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdec.ini

Filesize
129B

MD5
96d15c4f3db04429631866751a1d2890

SHA1
61066ffead2b6859e4d3fd497a78b05343ccf25e

SHA256
e8d31c1de790f738ef75daa0402584560a0672402d0d3ded0899d2dbc95fb911

SHA512
2e5c94e2d92eadd28f604ed1f04d6e2dc9d9a4ffb3c2270e9d19792ad41c0c536260616a17b433f4f2bc57b31b116ffa06eefb61955b98029f15593db4122189

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.client_id

Filesize
36B

MD5
f4c2784aa289f17d144a589751c7980d

SHA1
b414dd690863acf3614c25c911697f1b16c24c62

SHA256
e6e827f81840ce8975cd5e30467ddc1661c3f407cd9d342d00800f32c01dcc26

SHA512
3f3f8f8ae91d679745189722c88d97d19e8728ce3289deda2e89a79061ad06d0a627a9783a9ef2a833f6a7843d882bebdae77d178f3d810b581093b299f2b70e

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.dll

Filesize
2.6MB

MD5
c86511990365ac18cfb527e41a6f7eac

SHA1
d5119c749ba9c4f4a91120381cae151ce8cb82ad

SHA256
eb247a43d0cfd0662559f1e3a2bb6656a6b7d465c8d404d5a3ea090daad78196

SHA512
d76df94f69421921a04f768b04120cef09db6e6f8d8a930033893766444029c0be9c86250e49e9ea11c6d804cd16f4676ab0be860486d22f4992a65deaf30df5

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.ini

Filesize
155B

MD5
758591d297b16ee7b5127f2fe3e67a27

SHA1
d782a572579a9f52e31bef5377997c7f9be28790

SHA256
2c6224951714e685114b51c4e598c2bad8c7bc16975f7401ac51e101afcab837

SHA512
808f47903ee90c68939aca97ca06b1523bc5355d7de6c1b3ec14d0cd560b3bf77abe7c429964176711b91bf6a9bb2a1a9fe22206daa465ff2ec55e55ccc2eff3

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdreinit.exe

Filesize
1.3MB

MD5
87708aa959b727dcbaf61e1e70e39102

SHA1
41742e628b8e5148e7dc79392bb14b51344418ed

SHA256
6192ff8a25dfe8fe1f8ae025fb727ac29e69dd8f6702e89793ee9c27d09b5109

SHA512
0a275257fa5baf92ba982e0d450ed1cd148c106b8a3170f30588df11089cec42b56e2371e62f675db87315622ddcc58bc42798d4927689a8dd4486abc5146b15

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\installer\bdnc.ini.md5

Filesize
34B

MD5
3a0a7d7823833be6e8af5ab1af295139

SHA1
1895dea63fb05e7e6f90e052936de086874c4c75

SHA256
a5f15ba3b16384b584780f2bbb0ef3e7fd49ccabd0b9ca10437882f65f49c7f2

SHA512
0d1377acaf8c5062e4ed7b3ad3fe0fbae594b6ce234aa9339471a31c63d6ea768c6cb2ca24820fc7726282c7fbbd41da29242cd3c288d7a0e8cc6b7e49c9835d

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\log.dll

Filesize
301KB

MD5
6a9e978a4fe23df6dd4c329db64bb893

SHA1
7220c35ec2aac2df1613969ea9fd388f007961c4

SHA256
77eea2da6b65bbcd7ab5852fa3fbbe9c2e8e090ed2af27c4d200ef06eb094154

SHA512
c677fdb998f076302a1acb782b5ab422220abbd686610514c16af9bb5aeafef4af4d04ba60c397db3181ac1cf24bf68571d4f611458976261508a794323b3637

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\settings\LoggerConfig.xml

Filesize
78B

MD5
bda7be337da35949bb617c42de5fd811

SHA1
bf5e6c6a7dc9f9ccdb6207ac0d31a1aa76ec93e6

SHA256
54e2f0d07609a40a45bb12d3a271eec1fb9021f62b756a4bdbdc42191fd79dcd

SHA512
19b96b62a4055bdf254b13acba70fb8a4ec606a45abfe4fbf97c29aeb16a9e12d4e2529339f7571f62558559111f493bc52797388bfe629194cc89fb9d1b275e

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\settings\ProductAgent.json

Filesize
973B

MD5
7a9089116cdda102d9a2d0621846a500

SHA1
ba1c5c58b072e247790f31e13fea0668605d62b5

SHA256
70d5b628a3da01b54abc0f9daa69335272236fb753050e0a905a1cb797530ac7

SHA512
617b1a3991dfccf6b325a1e53a5697372d99680784f5d557f06291f4c6fad5e2f1d448af56e97ff51d625f81295e45e622e6873d1b11356a4ef9e320b0d5de02

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

Filesize
669KB

MD5
33bc0814d3ea990455a2e956a24fb71a

SHA1
09f9d7550d82512ddfdba4aafcb538a9eccab342

SHA256
79a1b5b25ddac2372655399805ee5f8d770e1083440c67247d7ab5a659909f37

SHA512
ea5a8cc2cce28e657d776d81e4d9865773eebc473a6052989d6f88b246bb907f9a3f260f7a816d9e30f752738e0fc18126e0b024f8e628422a58141148b5b5d3

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentUI.exe

Filesize
1.8MB

MD5
47f4ae0cf87bdc54a2ef7c4f4b11737f

SHA1
c3a9389a6614d0127253d5b6092752dd709570e8

SHA256
af2928fc85499f5e63c78147bc5f971e9155004f557db92a9bf48da6d912431d

SHA512
676619dc3d1c8f7978760bb5a26df62e87006df8c1aa4e6223204f11563dd284c17921e997fbb4f3923785c507b133dadb4b142467d8d48e5efab3b7f7dbb5cb

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.json

Filesize
943B

MD5
773b74522a6e488974ae46073906db08

SHA1
3f6bcf14bea073c02d8e2494645903e54f57d4dc

SHA256
6877dc49fc39111d8b9d900c8f7df178c08dbfff1da9b774aaea5f2160060c93

SHA512
b06b20ad0b2853b2ab38e515101ac38d2459a268a679a09436fcf2f3258ebe0d3bc809229da9470e77364f17e64ed5c846b9031160b5ac14f432c74dc732b569

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.conf

Filesize
357B

MD5
359c00356b7b0e3a871dccf4f5b7e17b

SHA1
2d12be84f3db7a11becc6838b13764103809924f

SHA256
6017a4af984473cb2c626419304c79f1dc33b1632e9601510a5c85323b319a55

SHA512
c6891cbb382983f605457f0ab11d33971b53eb305eb3ce9f518cb329a7f042da6f7634c13e9a8fc02c696e4295d95b5f2a2eb8ce3492b50654740617c900d1b3

Download Submit
C:\Program Files\Bitdefender Agent\version.json

Filesize
44B

MD5
d2de780f292bb508ac912c96910be873

SHA1
99235d586881e5a4cde571b096a8317584f1190b

SHA256
620a66403b2ffc67447fda1d2c839f454fb27026de3d3c3115b19c5d9e92bfc8

SHA512
1454e5cbdc6428e1efe00d2534a83a0defccf8406c4e51e19a508a618145db0b7b5e2d18da7063230d1077dcc844583132774619fd6b41959711cb710cb86b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe

Filesize
245KB

MD5
3e68d3affb1d07b291b402b1f8733b52

SHA1
c5d817e20dcd38ef8e8902c05d8a13777b88bc03

SHA256
cca66104abc7b29b365f2f5f55579348f0b5645deafbd962fc802d18c520e676

SHA512
d80225bb9b61ae98d662ff3e95775e3bc3900d3820c669956a090ed076154be6a261b327cb872742aeb1d87dcc4b4fe16147b4b26394397b6bb86f3c446fccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bdch.json

Filesize
960B

MD5
5e96cb34257ccd9a50d3f93bbfbc1337

SHA1
60eeeca57291613138f4f2c2afff15f9712aea2b

SHA256
85114591f9254f407f531bfa4ee57bfdf9079cb20aefb6f9daa74ba72d5a90ff

SHA512
001aaae5d5b473aa0a4441d9ce57b80f4eece27d8f358acbda181917a8712b18b291f972590f24415a0f3d510f8dc83a2f1c119d380ae3ec5e8a1a9d5fe32752

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe

Filesize
399KB

MD5
3a1261cc0bee2591e29842495e3f6aeb

SHA1
13187dcb0b83a6ed856317e5bee716940e811724

SHA256
66436a1a34bb16464111ac1042189d99de00390235c4109ba04e3f3a2d83d467

SHA512
bed901f1345725c6d627021b44451d28fc967838bf7f74388f649f4e52e67e7724ff7807da754d4a54f0da4bd40c33ba6272dd76d130c302c2706f44f58fb77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\deploy.dll

Filesize
18KB

MD5
d8ccab8f709caebcc3995d689d40f5c3

SHA1
c79d9c047645ea578da59110b35d36bf097b0cc1

SHA256
4462742e00eab950190eeda7484cc8d931646cc417bb0a5503361535eee1275e

SHA512
9219c8a545080e3e84bc0cabba1f7a6dad6a41ddf248447431f8474274efcbf48d82887d2d851dd6504250ca78c9465d16a5e0ec66504e81d3479093ba741bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe

Filesize
946KB

MD5
773a58cb4cc8459d38df010d3f9d9806

SHA1
02c3b45fae08436e118acd4f607f3bfef7645a48

SHA256
a1de2e263a928ea2e401354efc6204d810b025aee030eaa6657712d25a5540d5

SHA512
1b26fcf8f3d40d6220f388a766d491f4cd228c34d67ca3a1929b9aa42fe7b35746cb1f717aacd43508f05038dab13a45950e14a8b3fde12c3a04ec8b4ecd597c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

Filesize
1.4MB

MD5
cd10f317d54a8ba35e5ce85ba3b60220

SHA1
f1c33ddb09b0b30fb99917d2d9b8b0346fc20373

SHA256
ee05132599596b99f595b0ecf7783e7e119d5d03519b12fe9f3dbf5deef6fab4

SHA512
e9e56ce0b9a61283c18acaedbe22cf068a3b078e0836e3c0c2ed75d1a3e9199d834bf107321418c587cd235570b2ff48f0f04763d1ade475fb1a97255b2c479f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe

Filesize
8.3MB

MD5
7cd9464ae3a1bbe3c155f0353e5f681f

SHA1
a548d70989219c8de570055f87d93483ee9611b3

SHA256
16beff6d89dd76a4f22130f5e7b9d7a30ca0cb63893cb6591943bd8e6d3d7f72

SHA512
fc03ee68eac39e3c789da751197f28a9d649c3ad0ea407494710e2be812cb679f5e610b6c86596c527f6c207d3e066fd6c5d33b07fda0d22b7565910e956f2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5

Filesize
32B

MD5
2af0f1b3dd50cb94efb978061c10a211

SHA1
ca172c17f6ecdf5e71746714414f440ea006e12a

SHA256
8381983de4108cd0a54000b11f85f9128b46b82645c4117d864e32d728c87900

SHA512
2925ec62649bfefdad7276e107671e1a638020ebbd838b5f6fe77ec1d7c9dd2d92aa7d1b6e419b7a54eac381da78c438d87b981efaffd4a7d81b365838e8004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdredline.bdch.json

Filesize
730B

MD5
3266bd308834ee8d251433b44ee0a48d

SHA1
c271fbb539824ff577752d2f82b1b498a9ac91b7

SHA256
a773cf585925921309cc117e59ee87c56ae7e9f7e7532b4fb153e4ac72dac76e

SHA512
edcba4498e553b4e6d9eb28b7c29e880b04ab531435c50685d638769ac5ae74c6e3de8c02ecdcb385d05f347b27f2e1e6bab72ff45a16642013b28b44fe85321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdredline.exe

Filesize
2.5MB

MD5
bb8bdc561394c4ecfd2158d228da62b5

SHA1
34b46f4978ce08acf9c2218c22e8f2bf0d24a745

SHA256
ae283b45d858cb916f27b724db05049aceb424e049cd8c8a9b145547299f03c6

SHA512
8d02b3957c3efa279dccbd7aa521c372b03fd2afc2699f29bc178caaec8414baf0405987b5673b8d8e29c94bf962b08b36424ad08d0399b02b4319f5e7c5467e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\data\params.json

Filesize
86B

MD5
9210803f5a16907b21073ecb876050b1

SHA1
6e9a38c1acc9e98823c54ad51f4ca6a4593b0475

SHA256
c9128459dbcebc819dde6ea43d243420497fcf5a10b403cf708299a50e5d35f1

SHA512
390384bda65ad6ea0b96e15c99c655e0fff1ffb0f980965b71356488b4829ef720618fb9604f89611b4e9e4dd84797d67dfb184539eac6eeaeb96c72f97e982a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe

Filesize
770KB

MD5
af850a5433c3ff2e33bc4222e14800e2

SHA1
74baf15228a800287d13771882bb4eefab75010b

SHA256
e19399997dc084d27126835a42b2e478a37223a6b2f649fe88490112bb6318ce

SHA512
f3ddaa6de21bf615894f638a2ab49d60a914ce30682596f3a2c5b8337ece1657c649c527cd99ce2b7db1dd3522caa4ab43afb228e1657f6fa32eabe2188b3b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\cs-CZ.txtui

Filesize
9KB

MD5
acfe51999ce2e2361e5f13e9b4fed750

SHA1
82be366bea26ca1eef8c35ca2f26a9baab8551e8

SHA256
6db99180a45cb0116807a7d83702651468a1982596a0187d2fd8b9fb9e3623e8

SHA512
5494f6b520767372f67b3f98c2aa80b35a53c8f7167a80f2b9d9908045ff412e5348f9f69eccaabe14433c2ac5ae826dac4cf71d3681b8c120c763f34d62f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll

Filesize
94KB

MD5
72dc57d6b0b7a541bbc8f4bed42ba48a

SHA1
8f1269f8351cc6db6f624d5f4bbd2881ad65a15a

SHA256
075e253101ba416a8a3b572e08ca5c371a8cd27cf473be319e7cc88982523a00

SHA512
e198e144ec1043ca1206f65af5c2b46bc8ef4a957c51b89b3d5f74f72f7b1d4d7e2ba765e6e28cead62a4dfe5cce571961366e821504ebab687eea50b7c3c26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\productagentdp.dll

Filesize
499KB

MD5
0e170e693a13fcf60a3cd246a24e8822

SHA1
61829794e5d968c3c1c106953002c2851e1a992c

SHA256
6a5f84c751142ecf5bfca2bfcdd00f472fe03eda81125f4561fd7abe4e82ef86

SHA512
de97f1e6d1b1675dbced1c35f4916e74fbe7e28f049a3c6854a6ed1c74cd834a1a83e4642450f46f9a7da85ac70c4ebbcd42db55f3ef530c76cc76c714c4bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll

Filesize
4.6MB

MD5
258e030e1961923617df3d6ee6dc1e5c

SHA1
fea5a96214480383fa1aa5ff674ad3febd45aee3

SHA256
3eeebdf2a76db3ad7fe70fd72ff2badf495767f0e75d8fb2c3210fb8b541a2a6

SHA512
9269f481a52df490539f65cb71dbb5c582ee7d446c5b5af38146c210b2870bde6a12bfa9df0f3ea9376e14bacd3c5d3b9b42dfdd1904e9bff835c117d97a88c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe

Filesize
5.6MB

MD5
2e0329c9637588e065d0edbd669b9d18

SHA1
855a4cfaebf0f6032ebf465424a945fe253d0b1c

SHA256
87b6d3936e879812c3e1fbd379cfd9cc4e7a1cb031eb4ab8801e88f0ab31679c

SHA512
c44e58710fa1bfab30e1aab78f55aa8dda4f4febe1f71c2ce9892bc3eb5b309161127da65b352ab0bf754f8af5e94129f7b4b964d2b78cd8604455dda54f644d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5

Filesize
32B

MD5
b3fd1281f2b79e1fe42ee4ddd4998a09

SHA1
a642ed054a58dc123a8b6ae9c70c657e8f08df87

SHA256
34167c545f9fad76ace9097463bcafdf5522d480b5ae9daa86e38c0cb209caf1

SHA512
ac79fe53e87a41df4b447c6a70a67ea83e4430db9b6fa9b9ae160d6c21ec37e158428b6e0f48d6ccf3fb20b94f4e26abf0f34cd75149fc4c01938485cb03545d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

Filesize
276KB

MD5
02976926dbd2950c19ce250688b210b4

SHA1
70edee2b167e2c4d21f0816d353d06a562aeea53

SHA256
03a9116627f80d4c1ae1c42d341ec5714b0b5c90f6d9defecc1213b5f885c437

SHA512
1d098c89b9849b77e67ea480a588ca4af72bd4301733704f5592311d9d897e195017cc34ab965420bd29aa9b771ab6428de036931e31156cab6d6d736c11c554

Download Submit
memory/468-518-0x000000006ED30000-0x000000006ED40000-memory.dmp

Filesize
64KB

Download
memory/1632-551-0x000000006ED30000-0x000000006ED40000-memory.dmp

Filesize
64KB

Download
memory/2144-543-0x000000006ED30000-0x000000006ED40000-memory.dmp

Filesize
64KB

Download