ba580f566eff785f741c99a84877b6e867b8805210c91205b5bcd21a59fa7aeb

Resubmissions

08-08-2024 23:22

240808-3c2frswcmh 6

08-08-2024 18:12

240808-wte6jaxanr 10

Analysis

max time kernel
1794s
max time network
1805s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bitdefender_avfree.exe
Size

14.1MB
MD5

fd1e2d74ee69d385ffe392de738a09a8
SHA1

cffdc38420d50f6d2672fc5c9c3267f12b8d08b8
SHA256

ba580f566eff785f741c99a84877b6e867b8805210c91205b5bcd21a59fa7aeb
SHA512

94352897ab620e1970ab895bc5372ddf188ef2d2878965b2ff54efbfc61ff5a15019fa6f96bebc7142a997ce625c6d6e3685aa972fbff2c18627fc7fc0e55890
SSDEEP

393216:eVyaXw17m887vq+vb7fmBWASpNuGNvHqmbeQ:yyaA17mfq+vb6WAooixf

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_8A3EB3B0E837053838683939C2047254	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	ProductAgentService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_8A3EB3B0E837053838683939C2047254	ProductAgentService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\html\Agent\login2_loading.html	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\btn-close-w.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\ProductAgentUI.exe	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\bdicon.ico	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\sv-SE\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\html\Others\generic_message_window.html	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\icon-win.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\ui\ltr	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\zh-TW\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icons\icon-safe.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.json	installer.exe
File created	C:\Program Files\Bitdefender Agent\redline\bdec.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\ro-RO.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\ru-RU	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\check-round-progress.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\ie-icon.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\pl-PL.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\pt-PT.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\critical_fixups32.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\pl-PL	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\common	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\failed.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\loader.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\minimize.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\x64	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\additional.dll	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\settings\ProductAgentCommands.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\check-done.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.ini	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\minimize.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\load_medium.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\status_red.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icons\icon-warn.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\installer\lang\cs-CZ.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\pt-BR	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\sv-SE\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\close.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\minimize_hover.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\btn-close.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\WatchDog.exe	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\storage\install_path	ProductAgentService.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\vi-VN	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgent.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\dialog_confirm.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\pattern.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icons\b-icon-popup.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\img\icons\icon-warn.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\nl-NL\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\settings\bdch.template.json	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\css	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\icon-fb.svg	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\pattern2.png	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\bdui_progress_fgr.png	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images_2\common\close.svg	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\bdec.ini	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\pt-PT\productagentui.txtui	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\lang\it-IT\productagentui.txtui	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\settings\bdch.template.json	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\html\Others	installer.exe
File opened for modification	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\ieloader.gif	installer.exe
File created	C:\Program Files\Bitdefender Agent\27.0.1.266\skin\images\open.svg	installer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
4856	agent_launcher.exe
4472	bddeploy.exe
2408	setuppackage.exe
1504	installer.exe
4152	ProductAgentService.exe
1844	bdredline.exe
4980	ProductAgentService.exe
4000	ProductAgentService.exe
2140	ProductAgentService.exe
3508	ProductAgentService.exe
1624	DiscoverySrv.exe
1040	DiscoverySrv.exe
2144	ProductAgentService.exe
2440	ProductAgentUI.exe
788	WatchDog.exe

Loads dropped DLL 57 IoCs

pid	Process
1504	installer.exe
1504	installer.exe
1504	installer.exe
1504	installer.exe
1504	installer.exe
4152	ProductAgentService.exe
4152	ProductAgentService.exe
1504	installer.exe
1504	installer.exe
1844	bdredline.exe
4980	ProductAgentService.exe
4980	ProductAgentService.exe
4980	ProductAgentService.exe
4980	ProductAgentService.exe
4000	ProductAgentService.exe
4000	ProductAgentService.exe
4000	ProductAgentService.exe
4000	ProductAgentService.exe
2140	ProductAgentService.exe
2140	ProductAgentService.exe
2140	ProductAgentService.exe
1504	installer.exe
1504	installer.exe
2140	ProductAgentService.exe
2140	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
1624	DiscoverySrv.exe
1624	DiscoverySrv.exe
3696	regsvr32.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
1040	DiscoverySrv.exe
1040	DiscoverySrv.exe
1040	DiscoverySrv.exe
1504	installer.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
2144	ProductAgentService.exe
2144	ProductAgentService.exe
2144	ProductAgentService.exe
2144	ProductAgentService.exe
2440	ProductAgentUI.exe
2440	ProductAgentUI.exe
2440	ProductAgentUI.exe
2440	ProductAgentUI.exe
788	WatchDog.exe
788	WatchDog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bddeploy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdredline.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscoverySrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WatchDog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setuppackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitdefender_avfree.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agent_launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscoverySrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProductAgentUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProductAgentService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProductAgentService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender\Bdch	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ProductAgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WatchDog.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Bitdefender	bdredline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DiscoverySrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ProductAgentUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WatchDog.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266\\DiscoveryComp.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID\ = "ProductAgent.UPNPDevice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ = "IUPnPService_SCPD"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\ = "UPNPDevice Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\ = "ProductAgent UPNP Service Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266\\DiscoveryComp.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\HELPDIR\ = "C:\\Program Files\\Bitdefender Agent\\27.0.1.266"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice.1\CLSID\ = "{CB23A858-ED47-425B-AAD2-D809C11E1DA6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer\ = "ProductAgent.UPNPDevice.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\Version = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	agent_launcher.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe
3508	ProductAgentService.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	installer.exe
Token: 35	1504	installer.exe
Token: 35	1504	installer.exe
Token: 35	1504	installer.exe
Token: SeRestorePrivilege	1504	installer.exe
Token: SeDebugPrivilege	3508	ProductAgentService.exe
Token: SeDebugPrivilege	3508	ProductAgentService.exe
Token: SeDebugPrivilege	3508	ProductAgentService.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4856	2752	bitdefender_avfree.exe	82
PID 2752 wrote to memory of 4856	2752	bitdefender_avfree.exe	82
PID 2752 wrote to memory of 4856	2752	bitdefender_avfree.exe	82
PID 4856 wrote to memory of 4472	4856	agent_launcher.exe	85
PID 4856 wrote to memory of 4472	4856	agent_launcher.exe	85
PID 4856 wrote to memory of 4472	4856	agent_launcher.exe	85
PID 4472 wrote to memory of 2408	4472	bddeploy.exe	86
PID 4472 wrote to memory of 2408	4472	bddeploy.exe	86
PID 4472 wrote to memory of 2408	4472	bddeploy.exe	86
PID 4472 wrote to memory of 1504	4472	bddeploy.exe	87
PID 4472 wrote to memory of 1504	4472	bddeploy.exe	87
PID 4472 wrote to memory of 1504	4472	bddeploy.exe	87
PID 1504 wrote to memory of 4152	1504	installer.exe	89
PID 1504 wrote to memory of 4152	1504	installer.exe	89
PID 1504 wrote to memory of 4152	1504	installer.exe	89
PID 1504 wrote to memory of 4980	1504	installer.exe	92
PID 1504 wrote to memory of 4980	1504	installer.exe	92
PID 1504 wrote to memory of 4980	1504	installer.exe	92
PID 1504 wrote to memory of 4000	1504	installer.exe	93
PID 1504 wrote to memory of 4000	1504	installer.exe	93
PID 1504 wrote to memory of 4000	1504	installer.exe	93
PID 1504 wrote to memory of 2140	1504	installer.exe	94
PID 1504 wrote to memory of 2140	1504	installer.exe	94
PID 1504 wrote to memory of 2140	1504	installer.exe	94
PID 3508 wrote to memory of 1624	3508	ProductAgentService.exe	96
PID 3508 wrote to memory of 1624	3508	ProductAgentService.exe	96
PID 3508 wrote to memory of 1624	3508	ProductAgentService.exe	96
PID 1624 wrote to memory of 3696	1624	DiscoverySrv.exe	97
PID 1624 wrote to memory of 3696	1624	DiscoverySrv.exe	97
PID 1624 wrote to memory of 3696	1624	DiscoverySrv.exe	97
PID 3508 wrote to memory of 1040	3508	ProductAgentService.exe	98
PID 3508 wrote to memory of 1040	3508	ProductAgentService.exe	98
PID 3508 wrote to memory of 1040	3508	ProductAgentService.exe	98
PID 3508 wrote to memory of 2144	3508	ProductAgentService.exe	100
PID 3508 wrote to memory of 2144	3508	ProductAgentService.exe	100
PID 3508 wrote to memory of 2144	3508	ProductAgentService.exe	100
PID 3508 wrote to memory of 2440	3508	ProductAgentService.exe	102
PID 3508 wrote to memory of 2440	3508	ProductAgentService.exe	102
PID 3508 wrote to memory of 2440	3508	ProductAgentService.exe	102
PID 3508 wrote to memory of 788	3508	ProductAgentService.exe	103
PID 3508 wrote to memory of 788	3508	ProductAgentService.exe	103
PID 3508 wrote to memory of 788	3508	ProductAgentService.exe	103

C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe
"C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4152
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4000
    - - C:\Program Files\Bitdefender Agent\ProductAgentService.exe
        
        "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\AppData\Local\Temp\bitdefender_avfree.exe"
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140

C:\Program Files\Bitdefender Agent\redline\bdredline.exe
"C:\Program Files\Bitdefender Agent\redline\bdredline.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1844

C:\Program Files\Bitdefender Agent\ProductAgentService.exe
"C:\Program Files\Bitdefender Agent\ProductAgentService.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3696
- C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1040
- C:\Program Files\Bitdefender Agent\ProductAgentService.exe
  "ProductAgentService.exe" login_silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2440
- C:\Program Files\Bitdefender Agent\27.0.1.266\WatchDog.exe
  "C:\Program Files\Bitdefender Agent\27.0.1.266\WatchDog.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgent.dll

Filesize
1.6MB

MD5
040085a581765d2e45821d944e60d64f

SHA1
ebb4c62842a323d06274d4cab99fd51044412c27

SHA256
efcc3b7457195adb080986525b34cda9e0d5a3582e953f4d2733257039b40db8

SHA512
adb5ba2d2e2c518296a73d0b6c2ded9f3ae8a84f250f7180c4bf833093709fe0cd30ea10c4d2cecb392f9992973a5f707884d9bf6506e84b9c379516a1b60e6f

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdch.json

Filesize
1KB

MD5
500b776f0a312aaa5b650066683feda2

SHA1
99b07db332a6ff88d02a5327d8e64c10d5a15c5c

SHA256
7765e1cfb8308d93eef8c86e6ce63ab6765add56d62d1277158f2fd434ae944d

SHA512
ae034f2ef3f18df18f31f3eaa6fbbd22b946dab35ea9d2b57ba7ed023954add8200ca74d5058e74cdfc0d80a7e6c681ecc079aff1a1272cf6210c6805e6540bd

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdec.dll

Filesize
508KB

MD5
e2a0334684b05bf05a953b80a4832d20

SHA1
d29dec0042c65ac02c411e4caed37a5e1aa84d5b

SHA256
7dedb34158f800166567887c7a007a85eca0be379d20d51da3230f66c6b094c0

SHA512
0d486947d1c87ee632930afb49dae1061bee5b271e16a419c9e37a92c7083509de3e8980a73f8a9f2724421612f2cb9d33ea4156ab5c3afa34e4a98fed84ea92

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdec.ini

Filesize
129B

MD5
96d15c4f3db04429631866751a1d2890

SHA1
61066ffead2b6859e4d3fd497a78b05343ccf25e

SHA256
e8d31c1de790f738ef75daa0402584560a0672402d0d3ded0899d2dbc95fb911

SHA512
2e5c94e2d92eadd28f604ed1f04d6e2dc9d9a4ffb3c2270e9d19792ad41c0c536260616a17b433f4f2bc57b31b116ffa06eefb61955b98029f15593db4122189

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.client_id

Filesize
36B

MD5
f4c2784aa289f17d144a589751c7980d

SHA1
b414dd690863acf3614c25c911697f1b16c24c62

SHA256
e6e827f81840ce8975cd5e30467ddc1661c3f407cd9d342d00800f32c01dcc26

SHA512
3f3f8f8ae91d679745189722c88d97d19e8728ce3289deda2e89a79061ad06d0a627a9783a9ef2a833f6a7843d882bebdae77d178f3d810b581093b299f2b70e

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.dll

Filesize
2.6MB

MD5
c86511990365ac18cfb527e41a6f7eac

SHA1
d5119c749ba9c4f4a91120381cae151ce8cb82ad

SHA256
eb247a43d0cfd0662559f1e3a2bb6656a6b7d465c8d404d5a3ea090daad78196

SHA512
d76df94f69421921a04f768b04120cef09db6e6f8d8a930033893766444029c0be9c86250e49e9ea11c6d804cd16f4676ab0be860486d22f4992a65deaf30df5

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdnc.ini

Filesize
155B

MD5
758591d297b16ee7b5127f2fe3e67a27

SHA1
d782a572579a9f52e31bef5377997c7f9be28790

SHA256
2c6224951714e685114b51c4e598c2bad8c7bc16975f7401ac51e101afcab837

SHA512
808f47903ee90c68939aca97ca06b1523bc5355d7de6c1b3ec14d0cd560b3bf77abe7c429964176711b91bf6a9bb2a1a9fe22206daa465ff2ec55e55ccc2eff3

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\bdreinit.exe

Filesize
1.3MB

MD5
87708aa959b727dcbaf61e1e70e39102

SHA1
41742e628b8e5148e7dc79392bb14b51344418ed

SHA256
6192ff8a25dfe8fe1f8ae025fb727ac29e69dd8f6702e89793ee9c27d09b5109

SHA512
0a275257fa5baf92ba982e0d450ed1cd148c106b8a3170f30588df11089cec42b56e2371e62f675db87315622ddcc58bc42798d4927689a8dd4486abc5146b15

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\log.dll

Filesize
301KB

MD5
6a9e978a4fe23df6dd4c329db64bb893

SHA1
7220c35ec2aac2df1613969ea9fd388f007961c4

SHA256
77eea2da6b65bbcd7ab5852fa3fbbe9c2e8e090ed2af27c4d200ef06eb094154

SHA512
c677fdb998f076302a1acb782b5ab422220abbd686610514c16af9bb5aeafef4af4d04ba60c397db3181ac1cf24bf68571d4f611458976261508a794323b3637

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\settings\LoggerConfig.xml

Filesize
78B

MD5
bda7be337da35949bb617c42de5fd811

SHA1
bf5e6c6a7dc9f9ccdb6207ac0d31a1aa76ec93e6

SHA256
54e2f0d07609a40a45bb12d3a271eec1fb9021f62b756a4bdbdc42191fd79dcd

SHA512
19b96b62a4055bdf254b13acba70fb8a4ec606a45abfe4fbf97c29aeb16a9e12d4e2529339f7571f62558559111f493bc52797388bfe629194cc89fb9d1b275e

Download Submit
C:\Program Files\Bitdefender Agent\27.0.1.266\settings\ProductAgent.json

Filesize
973B

MD5
7a9089116cdda102d9a2d0621846a500

SHA1
ba1c5c58b072e247790f31e13fea0668605d62b5

SHA256
70d5b628a3da01b54abc0f9daa69335272236fb753050e0a905a1cb797530ac7

SHA512
617b1a3991dfccf6b325a1e53a5697372d99680784f5d557f06291f4c6fad5e2f1d448af56e97ff51d625f81295e45e622e6873d1b11356a4ef9e320b0d5de02

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentService.exe

Filesize
669KB

MD5
33bc0814d3ea990455a2e956a24fb71a

SHA1
09f9d7550d82512ddfdba4aafcb538a9eccab342

SHA256
79a1b5b25ddac2372655399805ee5f8d770e1083440c67247d7ab5a659909f37

SHA512
ea5a8cc2cce28e657d776d81e4d9865773eebc473a6052989d6f88b246bb907f9a3f260f7a816d9e30f752738e0fc18126e0b024f8e628422a58141148b5b5d3

Download Submit
C:\Program Files\Bitdefender Agent\ProductAgentUI.exe

Filesize
1.8MB

MD5
47f4ae0cf87bdc54a2ef7c4f4b11737f

SHA1
c3a9389a6614d0127253d5b6092752dd709570e8

SHA256
af2928fc85499f5e63c78147bc5f971e9155004f557db92a9bf48da6d912431d

SHA512
676619dc3d1c8f7978760bb5a26df62e87006df8c1aa4e6223204f11563dd284c17921e997fbb4f3923785c507b133dadb4b142467d8d48e5efab3b7f7dbb5cb

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdch.dll

Filesize
1.7MB

MD5
3e42b901cb1c89e5994649703aa27d09

SHA1
2df41dc5b36165fa2d3d02f2e5eaed6e33f435b8

SHA256
3431e5ae5302dc04aecd77b1e52c2783c316a32e90349a8c418fb0e16e53a660

SHA512
e7ce58642f32bfcedd787d4c512945d2ec0ee445a9a65ede932196ea87395812729dc3fdb0a22fa601ccb73a9372385b8bdc844f65ba61748175213e7f838b64

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.json

Filesize
943B

MD5
63a8867e9f1d42eb8c10b7f37e49e860

SHA1
f352d54072a7a4181c14396cb59c86a58c1de43b

SHA256
f922ca9dfddb018730b5a8b78a5c10caf9a6140a505a0d1fe1e6a92240b7b3f5

SHA512
21fd2d7955512fe6b0c02520f380a78e1769304a61089c02ea7180e389a8bbc8090fdd474f908ef05b66196170e9a04cb7e157cdb0e68aa471b67261f2579977

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.conf

Filesize
357B

MD5
359c00356b7b0e3a871dccf4f5b7e17b

SHA1
2d12be84f3db7a11becc6838b13764103809924f

SHA256
6017a4af984473cb2c626419304c79f1dc33b1632e9601510a5c85323b319a55

SHA512
c6891cbb382983f605457f0ab11d33971b53eb305eb3ce9f518cb329a7f042da6f7634c13e9a8fc02c696e4295d95b5f2a2eb8ce3492b50654740617c900d1b3

Download Submit
C:\Program Files\Bitdefender Agent\redline\bdredline.exe

Filesize
2.5MB

MD5
bb8bdc561394c4ecfd2158d228da62b5

SHA1
34b46f4978ce08acf9c2218c22e8f2bf0d24a745

SHA256
ae283b45d858cb916f27b724db05049aceb424e049cd8c8a9b145547299f03c6

SHA512
8d02b3957c3efa279dccbd7aa521c372b03fd2afc2699f29bc178caaec8414baf0405987b5673b8d8e29c94bf962b08b36424ad08d0399b02b4319f5e7c5467e

Download Submit
C:\Program Files\Bitdefender Agent\version.json

Filesize
44B

MD5
d2de780f292bb508ac912c96910be873

SHA1
99235d586881e5a4cde571b096a8317584f1190b

SHA256
620a66403b2ffc67447fda1d2c839f454fb27026de3d3c3115b19c5d9e92bfc8

SHA512
1454e5cbdc6428e1efe00d2534a83a0defccf8406c4e51e19a508a618145db0b7b5e2d18da7063230d1077dcc844583132774619fd6b41959711cb710cb86b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe

Filesize
245KB

MD5
3e68d3affb1d07b291b402b1f8733b52

SHA1
c5d817e20dcd38ef8e8902c05d8a13777b88bc03

SHA256
cca66104abc7b29b365f2f5f55579348f0b5645deafbd962fc802d18c520e676

SHA512
d80225bb9b61ae98d662ff3e95775e3bc3900d3820c669956a090ed076154be6a261b327cb872742aeb1d87dcc4b4fe16147b4b26394397b6bb86f3c446fccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe

Filesize
399KB

MD5
3a1261cc0bee2591e29842495e3f6aeb

SHA1
13187dcb0b83a6ed856317e5bee716940e811724

SHA256
66436a1a34bb16464111ac1042189d99de00390235c4109ba04e3f3a2d83d467

SHA512
bed901f1345725c6d627021b44451d28fc967838bf7f74388f649f4e52e67e7724ff7807da754d4a54f0da4bd40c33ba6272dd76d130c302c2706f44f58fb77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\deploy.dll

Filesize
18KB

MD5
d8ccab8f709caebcc3995d689d40f5c3

SHA1
c79d9c047645ea578da59110b35d36bf097b0cc1

SHA256
4462742e00eab950190eeda7484cc8d931646cc417bb0a5503361535eee1275e

SHA512
9219c8a545080e3e84bc0cabba1f7a6dad6a41ddf248447431f8474274efcbf48d82887d2d851dd6504250ca78c9465d16a5e0ec66504e81d3479093ba741bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\ProductAgentDP.dll

Filesize
499KB

MD5
0e170e693a13fcf60a3cd246a24e8822

SHA1
61829794e5d968c3c1c106953002c2851e1a992c

SHA256
6a5f84c751142ecf5bfca2bfcdd00f472fe03eda81125f4561fd7abe4e82ef86

SHA512
de97f1e6d1b1675dbced1c35f4916e74fbe7e28f049a3c6854a6ed1c74cd834a1a83e4642450f46f9a7da85ac70c4ebbcd42db55f3ef530c76cc76c714c4bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\additional.dll

Filesize
1.4MB

MD5
cd10f317d54a8ba35e5ce85ba3b60220

SHA1
f1c33ddb09b0b30fb99917d2d9b8b0346fc20373

SHA256
ee05132599596b99f595b0ecf7783e7e119d5d03519b12fe9f3dbf5deef6fab4

SHA512
e9e56ce0b9a61283c18acaedbe22cf068a3b078e0836e3c0c2ed75d1a3e9199d834bf107321418c587cd235570b2ff48f0f04763d1ade475fb1a97255b2c479f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe

Filesize
8.3MB

MD5
7cd9464ae3a1bbe3c155f0353e5f681f

SHA1
a548d70989219c8de570055f87d93483ee9611b3

SHA256
16beff6d89dd76a4f22130f5e7b9d7a30ca0cb63893cb6591943bd8e6d3d7f72

SHA512
fc03ee68eac39e3c789da751197f28a9d649c3ad0ea407494710e2be812cb679f5e610b6c86596c527f6c207d3e066fd6c5d33b07fda0d22b7565910e956f2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5

Filesize
32B

MD5
2af0f1b3dd50cb94efb978061c10a211

SHA1
ca172c17f6ecdf5e71746714414f440ea006e12a

SHA256
8381983de4108cd0a54000b11f85f9128b46b82645c4117d864e32d728c87900

SHA512
2925ec62649bfefdad7276e107671e1a638020ebbd838b5f6fe77ec1d7c9dd2d92aa7d1b6e419b7a54eac381da78c438d87b981efaffd4a7d81b365838e8004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini.md5

Filesize
34B

MD5
3a0a7d7823833be6e8af5ab1af295139

SHA1
1895dea63fb05e7e6f90e052936de086874c4c75

SHA256
a5f15ba3b16384b584780f2bbb0ef3e7fd49ccabd0b9ca10437882f65f49c7f2

SHA512
0d1377acaf8c5062e4ed7b3ad3fe0fbae594b6ce234aa9339471a31c63d6ea768c6cb2ca24820fc7726282c7fbbd41da29242cd3c288d7a0e8cc6b7e49c9835d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\bdredline.bdch.json

Filesize
730B

MD5
3266bd308834ee8d251433b44ee0a48d

SHA1
c271fbb539824ff577752d2f82b1b498a9ac91b7

SHA256
a773cf585925921309cc117e59ee87c56ae7e9f7e7532b4fb153e4ac72dac76e

SHA512
edcba4498e553b4e6d9eb28b7c29e880b04ab531435c50685d638769ac5ae74c6e3de8c02ecdcb385d05f347b27f2e1e6bab72ff45a16642013b28b44fe85321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\data\params.json

Filesize
86B

MD5
9210803f5a16907b21073ecb876050b1

SHA1
6e9a38c1acc9e98823c54ad51f4ca6a4593b0475

SHA256
c9128459dbcebc819dde6ea43d243420497fcf5a10b403cf708299a50e5d35f1

SHA512
390384bda65ad6ea0b96e15c99c655e0fff1ffb0f980965b71356488b4829ef720618fb9604f89611b4e9e4dd84797d67dfb184539eac6eeaeb96c72f97e982a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe

Filesize
770KB

MD5
af850a5433c3ff2e33bc4222e14800e2

SHA1
74baf15228a800287d13771882bb4eefab75010b

SHA256
e19399997dc084d27126835a42b2e478a37223a6b2f649fe88490112bb6318ce

SHA512
f3ddaa6de21bf615894f638a2ab49d60a914ce30682596f3a2c5b8337ece1657c649c527cd99ce2b7db1dd3522caa4ab43afb228e1657f6fa32eabe2188b3b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\cs-CZ.txtui

Filesize
9KB

MD5
acfe51999ce2e2361e5f13e9b4fed750

SHA1
82be366bea26ca1eef8c35ca2f26a9baab8551e8

SHA256
6db99180a45cb0116807a7d83702651468a1982596a0187d2fd8b9fb9e3623e8

SHA512
5494f6b520767372f67b3f98c2aa80b35a53c8f7167a80f2b9d9908045ff412e5348f9f69eccaabe14433c2ac5ae826dac4cf71d3681b8c120c763f34d62f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\de-DE.txtui

Filesize
9KB

MD5
5eb63b027646873e5c3c0ffa1a6e3ec0

SHA1
68f8e83c8d97ed0460ecb9d70a1bf9f25cd7b859

SHA256
b26fad351307301bff6f8632f3612a90f00cf9e4bd5636abad7a9f84a788cf8e

SHA512
6182ad2d3657664e5d39fa8191468e0594b7a79c543e71e63414ce9cc5f6f95e25204375af3583596d774e6f3d0aa0c0ad915b3f806cf68a05f81fa9c1db951a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\lang\ltr\resources.dll

Filesize
94KB

MD5
72dc57d6b0b7a541bbc8f4bed42ba48a

SHA1
8f1269f8351cc6db6f624d5f4bbd2881ad65a15a

SHA256
075e253101ba416a8a3b572e08ca5c371a8cd27cf473be319e7cc88982523a00

SHA512
e198e144ec1043ca1206f65af5c2b46bc8ef4a957c51b89b3d5f74f72f7b1d4d7e2ba765e6e28cead62a4dfe5cce571961366e821504ebab687eea50b7c3c26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\sciter.dll

Filesize
4.6MB

MD5
258e030e1961923617df3d6ee6dc1e5c

SHA1
fea5a96214480383fa1aa5ff674ad3febd45aee3

SHA256
3eeebdf2a76db3ad7fe70fd72ff2badf495767f0e75d8fb2c3210fb8b541a2a6

SHA512
9269f481a52df490539f65cb71dbb5c582ee7d446c5b5af38146c210b2870bde6a12bfa9df0f3ea9376e14bacd3c5d3b9b42dfdd1904e9bff835c117d97a88c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe

Filesize
5.6MB

MD5
2e0329c9637588e065d0edbd669b9d18

SHA1
855a4cfaebf0f6032ebf465424a945fe253d0b1c

SHA256
87b6d3936e879812c3e1fbd379cfd9cc4e7a1cb031eb4ab8801e88f0ab31679c

SHA512
c44e58710fa1bfab30e1aab78f55aa8dda4f4febe1f71c2ce9892bc3eb5b309161127da65b352ab0bf754f8af5e94129f7b4b964d2b78cd8604455dda54f644d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe.md5

Filesize
32B

MD5
b3fd1281f2b79e1fe42ee4ddd4998a09

SHA1
a642ed054a58dc123a8b6ae9c70c657e8f08df87

SHA256
34167c545f9fad76ace9097463bcafdf5522d480b5ae9daa86e38c0cb209caf1

SHA512
ac79fe53e87a41df4b447c6a70a67ea83e4430db9b6fa9b9ae160d6c21ec37e158428b6e0f48d6ccf3fb20b94f4e26abf0f34cd75149fc4c01938485cb03545d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\unrar.dll

Filesize
276KB

MD5
02976926dbd2950c19ce250688b210b4

SHA1
70edee2b167e2c4d21f0816d353d06a562aeea53

SHA256
03a9116627f80d4c1ae1c42d341ec5714b0b5c90f6d9defecc1213b5f885c437

SHA512
1d098c89b9849b77e67ea480a588ca4af72bd4301733704f5592311d9d897e195017cc34ab965420bd29aa9b771ab6428de036931e31156cab6d6d736c11c554

Download Submit
memory/788-545-0x000000006D710000-0x000000006D720000-memory.dmp

Filesize
64KB

Download
memory/1624-518-0x000000006D710000-0x000000006D720000-memory.dmp

Filesize
64KB

Download
memory/2440-543-0x000000006D710000-0x000000006D720000-memory.dmp

Filesize
64KB

Download