c04f2c02e34da7bed4800b45220f5831dec511da884f738c1e3321c18ef8c516

Analysis

max time kernel
318s
max time network
387s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drweb-1.0-katana.exe
Size

46.8MB
MD5

8acc7d1bd885d322e0906c48d66b5eac
SHA1

8dec2d7e07fd6eee855fe3d18d24cb81514f323c
SHA256

c04f2c02e34da7bed4800b45220f5831dec511da884f738c1e3321c18ef8c516
SHA512

32a94a49569e582b12a2a99c8030f01eae213ea11be0b6613e3d79c6f9dc3889c80d27b1fbdeb4edd4849be24c4cbda402026d5556de94090543effa34a3048c
SSDEEP

786432:MwtCRQ9ZTbV/sjEKj3STdBoFMDhSLF9MKIxEPT9cFRHRdDHtKC0owR:MmFlV/6EgAcFMhSJGKIxwJcF1RdDNKQg

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

Processes:

drwupsrv.exedrwupsrv.exedrwupsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\dwprot.sys	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwsguard64.dll	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwprot.sys	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwsguard32.dll	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwprot.sys	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwsguard32.dll	drwupsrv.exe
File opened for modification	C:\Windows\system32\drivers\dwsguard64.dll	drwupsrv.exe
File created	C:\Windows\system32\drivers\dwsguard64.dll	drwupsrv.exe
File created	C:\Windows\system32\drivers\dwsguard32.dll	drwupsrv.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dwservice.exedrweb-1.0-katana.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\46ed351b6940fea7\ImagePath = "\\??\\C:\\Windows\\TEMP\\14063b618.sys"	dwservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\458E36076A23FDBB\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\F12029D4.sys"	drweb-1.0-katana.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

drwupsrv.exekatana-setup.exeFreeYoutubeDownloader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	drwupsrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	katana-setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe

Executes dropped EXE 14 IoCs

Processes:

katana-setup.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedwservice.exespideragent.exedrwupsrv.exedrwupsrv.exespideragent.exespideragent.exeLoveYou.exeFreeYoutubeDownloader.exeFree YouTube Downloader.exe

pid	process
4460	katana-setup.exe
1140	drwupsrv.exe
3856	drwupsrv.exe
1704	dwservice.exe
4280	drwupsrv.exe
3100	dwservice.exe
3564	spideragent.exe
5304	drwupsrv.exe
2700	drwupsrv.exe
5656	spideragent.exe
3448	spideragent.exe
7116	LoveYou.exe
5244	FreeYoutubeDownloader.exe
6388	Free YouTube Downloader.exe

Loads dropped DLL 2 IoCs

Processes:

dwservice.exe

pid process

3100 dwservice.exe
3100 dwservice.exe

pid	process
3100	dwservice.exe
3100	dwservice.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

drwupsrv.exeFreeYoutubeDownloader.exedrwupsrv.exedrwupsrv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\""	drwupsrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\""	drwupsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\""	drwupsrv.exe

Checks for any installed AV software in registry 1 TTPs 43 IoCs

Security Software Discovery

T1063

Processes:

drwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exespideragent.exedrwupsrv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath = "C:\\Program Files\\DrWeb"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath = "C:\\Program Files\\DrWeb"	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService\Alias	dwservice.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	dwservice.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	dwservice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType	dwservice.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680544097"	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680544080"	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType	spideragent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion	dwservice.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone"	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AVRemoteControl	dwservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	dwservice.exe
Key opened	\REGISTRY\MACHINE\Software\Doctor Web\InstalledComponents	spideragent.exe
Key opened	\Registry\Machine\SOFTWARE\Doctor Web\InstalledComponents	dwservice.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680544095"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\RelType = "release"	drwupsrv.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\PreventiveProtection = "1680544075"	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680544080"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0"	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680544096"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA"	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone"	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680544076"	drwupsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\PreventiveProtection = "1680544095"	drwupsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680544075"	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath	drwupsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0"	drwupsrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode	dwservice.exe
Key opened	\REGISTRY\MACHINE\Software\Doctor Web\InstalledComponents	dwservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

drwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	drwupsrv.exe
File opened for modification	\??\PhysicalDrive0	drwupsrv.exe
File opened for modification	\??\PhysicalDrive0	drwupsrv.exe
File opened for modification	\??\PhysicalDrive0	drwupsrv.exe
File opened for modification	\??\PhysicalDrive0	drwupsrv.exe

Drops file in Program Files directory 64 IoCs

Processes:

drwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exe

description	ioc	process
File opened for modification	C:\Program Files\DrWeb\ja-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\9\20230324160215.xml.cache;c187d8f35bb8d9ed6858753a164e3527b2bd6d8335fe42dc8d1ba574d8e28e76	drwupsrv.exe
File created	C:\Program Files\DrWeb\drwbase.db	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\revisions.xml	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\uk-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\tr-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\spideragent.exe	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\de-drweb.chm	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log	drwupsrv.exe
File created	C:\Program Files\DrWeb\spideragent.exe	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\common\ru-drweb.chm.lzma.cache;7c79b83d30fd0014f0f1cf962dcc60c30554811c94067f1650276f1b20a4d5c1	drwupsrv.exe
File created	C:\Program Files\DrWeb\ko-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\pt-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\de-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ja-drweb.dwl	drwupsrv.exe
File created	C:\Program Files\DrWeb\ja-drweb.chm	drwupsrv.exe
File created	C:\Program Files\DrWeb\dwsysinfo.dll	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\9\revision.xml	drwupsrv.exe
File created	C:\Program Files\DrWeb\it-drweb.dwl	drwupsrv.exe
File created	C:\Program Files\DrWeb\SL150221703.key	dwservice.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\spider-agent\revisions.xml	drwupsrv.exe
File created	C:\Program Files\DrWeb\ru-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\dwarkapi.dll	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\dwsysinfo.exe	drwupsrv.exe
File created	C:\Program Files\DrWeb\cs-drweb.dwl	drwupsrv.exe
File created	C:\Program Files\DrWeb\et-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\cs-drweb.dwl	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\revisions.xml	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ru-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ja-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\sk-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\cloud-client\revisions.xml	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\es-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\temp\drwupsrv.exe	drwupsrv.exe
File created	C:\Program Files\DrWeb\es-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\20230324160215.xml.cache;0a278293566d84523d04c0a03d6c8214143465df2e2879774a97634b56a59887	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ja-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\en-drweb.chm	drwupsrv.exe
File created	C:\Program Files\DrWeb\lv-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ccsdk.dll	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwprot\9\20230324160215.xml.cache;7d7b23e57306db05ae7f73fa5188fe52ec1895b0650510474a366df3e4473fe9	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\revision.xml	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\revisions.xml	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\dwservice.exe	drwupsrv.exe
File created	C:\Program Files\DrWeb\tr-drweb.dwl	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\en-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ru-drweb.chm	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\et-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\common\en-drweb.chm.lzma.cache;12b09572e7544d8bbf1d564bebd4086bb8af3a59ea8f43ac99d4fc746ef8faeb	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\revisions.xml	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\temp\drwzones.xml	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\revisions.xml	drwupsrv.exe
File opened for modification	C:\Program Files\DrWeb\ru-drweb.dwl	drwupsrv.exe
File created	C:\Program Files\DrWeb\kk-drweb.dwl	drwupsrv.exe
File created	C:\Program Files\DrWeb\fr-drweb.dwl	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\versions.xml.newer.cache;	drwupsrv.exe
File created	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\20230324160215.xml.cache;fbe434512f9155d31c9fa05d9aa941a2024947246ad785f9d68952cffc5ff5b8	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\common\drwbase.db.lzma	drwupsrv.exe
File opened for modification	C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml	drwupsrv.exe

Drops file in Windows directory 4 IoCs

Processes:

FreeYoutubeDownloader.exe

description	ioc	process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9d6c693febb2fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9d6c6930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900f9d6c693000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEkatana-setup.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	katana-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	katana-setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

dwservice.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dwservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dwservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dwservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dwservice.exe
Key created	\REGISTRY\USER\.DEFAULT\	dwservice.exe

Modifies registry class 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 4 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Free_Robux_Generator.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Frankenstein.doc:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4632 WINWORD.EXE
4632 WINWORD.EXE

pid	process
4632	WINWORD.EXE
4632	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

katana-setup.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedrwupsrv.exemsedge.exemsedge.exe

pid	process
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
4460	katana-setup.exe
1140	drwupsrv.exe
1140	drwupsrv.exe
1140	drwupsrv.exe
1140	drwupsrv.exe
3856	drwupsrv.exe
3856	drwupsrv.exe
3856	drwupsrv.exe
3856	drwupsrv.exe
4280	drwupsrv.exe
4280	drwupsrv.exe
4280	drwupsrv.exe
4280	drwupsrv.exe
3100	dwservice.exe
5304	drwupsrv.exe
5304	drwupsrv.exe
5304	drwupsrv.exe
5304	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
2700	drwupsrv.exe
4460	katana-setup.exe
8	msedge.exe
8	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

drweb-1.0-katana.exedwservice.exe

pid process

1304 drweb-1.0-katana.exe
660
3100 dwservice.exe
660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4380 msedge.exe
4380 msedge.exe
4380 msedge.exe
4380 msedge.exe
4380 msedge.exe

pid	process
1304	drweb-1.0-katana.exe
660
3100	dwservice.exe
660
660

pid	process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

drweb-1.0-katana.exefirefox.exevssvc.exeAUDIODG.EXEsrtasks.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedrwupsrv.exespideragent.exekatana-setup.exeFreeYoutubeDownloader.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1304	drweb-1.0-katana.exe
Token: SeLoadDriverPrivilege	1304	drweb-1.0-katana.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeBackupPrivilege	4892	vssvc.exe
Token: SeRestorePrivilege	4892	vssvc.exe
Token: SeAuditPrivilege	4892	vssvc.exe
Token: 33	5584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5584	AUDIODG.EXE
Token: SeBackupPrivilege	404	srtasks.exe
Token: SeRestorePrivilege	404	srtasks.exe
Token: SeSecurityPrivilege	404	srtasks.exe
Token: SeTakeOwnershipPrivilege	404	srtasks.exe
Token: SeBackupPrivilege	404	srtasks.exe
Token: SeRestorePrivilege	404	srtasks.exe
Token: SeSecurityPrivilege	404	srtasks.exe
Token: SeTakeOwnershipPrivilege	404	srtasks.exe
Token: SeTakeOwnershipPrivilege	1140	drwupsrv.exe
Token: SeSecurityPrivilege	1140	drwupsrv.exe
Token: SeBackupPrivilege	1140	drwupsrv.exe
Token: SeRestorePrivilege	1140	drwupsrv.exe
Token: SeMachineAccountPrivilege	1140	drwupsrv.exe
Token: SeTakeOwnershipPrivilege	3856	drwupsrv.exe
Token: SeSecurityPrivilege	3856	drwupsrv.exe
Token: SeBackupPrivilege	3856	drwupsrv.exe
Token: SeRestorePrivilege	3856	drwupsrv.exe
Token: SeMachineAccountPrivilege	3856	drwupsrv.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeTakeOwnershipPrivilege	4280	drwupsrv.exe
Token: SeSecurityPrivilege	4280	drwupsrv.exe
Token: SeBackupPrivilege	4280	drwupsrv.exe
Token: SeRestorePrivilege	4280	drwupsrv.exe
Token: SeMachineAccountPrivilege	4280	drwupsrv.exe
Token: SeDebugPrivilege	3100	dwservice.exe
Token: SeTcbPrivilege	3100	dwservice.exe
Token: SeLoadDriverPrivilege	3100	dwservice.exe
Token: SeTakeOwnershipPrivilege	5304	drwupsrv.exe
Token: SeSecurityPrivilege	5304	drwupsrv.exe
Token: SeBackupPrivilege	5304	drwupsrv.exe
Token: SeRestorePrivilege	5304	drwupsrv.exe
Token: SeMachineAccountPrivilege	5304	drwupsrv.exe
Token: SeTakeOwnershipPrivilege	2700	drwupsrv.exe
Token: SeSecurityPrivilege	2700	drwupsrv.exe
Token: SeBackupPrivilege	2700	drwupsrv.exe
Token: SeRestorePrivilege	2700	drwupsrv.exe
Token: SeMachineAccountPrivilege	2700	drwupsrv.exe
Token: SeIncreaseQuotaPrivilege	2700	drwupsrv.exe
Token: SeAssignPrimaryTokenPrivilege	2700	drwupsrv.exe
Token: SeDebugPrivilege	5656	spideragent.exe
Token: SeTcbPrivilege	4460	katana-setup.exe
Token: SeIncreaseQuotaPrivilege	4460	katana-setup.exe
Token: SeAssignPrimaryTokenPrivilege	4460	katana-setup.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeDebugPrivilege	5244	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	5244	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	5244	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	5244	FreeYoutubeDownloader.exe
Token: SeDebugPrivilege	1232	firefox.exe
Token: SeAuditPrivilege	4632	WINWORD.EXE

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

firefox.exespideragent.exespideragent.exemsedge.exeFree YouTube Downloader.exe

pid	process
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
3564	spideragent.exe
3564	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
6388	Free YouTube Downloader.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

firefox.exespideragent.exespideragent.exeFree YouTube Downloader.exe

pid	process
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
3564	spideragent.exe
3564	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
5656	spideragent.exe
6388	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

firefox.exespideragent.exeFreeYoutubeDownloader.exeWINWORD.EXE

pid	process
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
5656	spideragent.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
5244	FreeYoutubeDownloader.exe
1232	firefox.exe
1232	firefox.exe
1232	firefox.exe
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

drweb-1.0-katana.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1304 wrote to memory of 4460	1304	drweb-1.0-katana.exe	katana-setup.exe
PID 1304 wrote to memory of 4460	1304	drweb-1.0-katana.exe	katana-setup.exe
PID 1304 wrote to memory of 4460	1304	drweb-1.0-katana.exe	katana-setup.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 2080 wrote to memory of 1232	2080	firefox.exe	firefox.exe
PID 1232 wrote to memory of 4264	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 4264	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe
PID 1232 wrote to memory of 5112	1232	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe
"C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe
"C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe" /distribpath "C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
"C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe" -c add-product -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" --list "C:\ProgramData\Doctor Web\Updater\repo\90\products.xml" --merge --version=90 --rev=9 -a "C:\Program Files\DrWeb" -v debug
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
"C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe" -r "C:\ProgramData\Doctor Web\Updater\repo" -c install -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" --disable-postupdate --param="distrib_version=1.0.8.06270" --param="en_help_file_name=en-drweb.chm" --param="en_help_lnk_name=Dr.Web Help (English).lnk" --param="estimated_size=108298" --param="install_date=20230403" --param="install_mode" --param="install_source=C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe" --param="installdir=C:\Program Files\DrWeb" --param="lang=en" --param="path_to_chached_distrib=C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exe" --param="runbysetup" --param="sendStats=1" --param="startmenu_shortcut" --interactive -v debug -l
3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Program Files\DrWeb\dwservice.exe
"C:\Program Files\DrWeb\dwservice.exe" --install -o "C:\ProgramData\Doctor Web\Logs\dwservice.log"
4⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
"C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe" -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" -r "C:\ProgramData\Doctor Web\Updater\repo" -c postupdate --param="distrib_version=1.0.8.06270" --param="en_help_file_name=en-drweb.chm" --param="en_help_lnk_name=Dr.Web Help (English).lnk" --param="estimated_size=108298" --param="install_date=20230403" --param="install_mode" --param="install_source=C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe" --param="installdir=C:\Program Files\DrWeb" --param="lang=en" --param="path_to_chached_distrib=C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exe" --param="runbysetup" --param="sendStats=1" --param="startmenu_shortcut" --interactive -v debug -l
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Program Files\DrWeb\spideragent.exe
"C:\Program Files\DrWeb\spideragent.exe" -register
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564

C:\Program Files\DrWeb\spideragent.exe
"C:\Program Files\DrWeb\spideragent.exe"
3⤵
- Executes dropped EXE
PID:3448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.0.570801544\1673316814" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4e114fd-a1a7-424c-97a3-5bea834823bd} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 1916 1baa57e1858 gpu
3⤵
PID:4264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.1.52543866\1655587517" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94856dfa-ca6c-4867-b896-b7642e80e116} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 2316 1ba98771c58 socket
3⤵
PID:5112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.2.141931349\568055610" -childID 1 -isForBrowser -prefsHandle 1668 -prefMapHandle 2760 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f3e38eb-5676-4273-9714-f68c0b55d0ab} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 3180 1baa93e1158 tab
3⤵
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.3.987822667\83874029" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9806a7b-7fb4-4980-9338-8931e00d49ea} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 3576 1ba9876fe58 tab
3⤵
PID:4064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.4.1964406309\695161643" -childID 3 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b5dac0-3507-481d-9217-bc4a5322464a} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 3916 1baaa6a2558 tab
3⤵
PID:3600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.7.498115804\1054158169" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d935c1a2-52a1-4905-a39f-28b5ed23d9f9} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 5304 1baabc34058 tab
3⤵
PID:1300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.6.633629966\1855289709" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4172 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0fe5a10-a7b1-45af-820b-d9386dc8c44e} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 5108 1baabc34c58 tab
3⤵
PID:3816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.5.798255388\1507468569" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 5020 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {209ca74d-6bab-403e-aada-06ebbdb4aeff} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 4972 1baab0ea558 tab
3⤵
PID:4832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.9.1403512492\1319791083" -childID 8 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20e49504-25c1-46c2-ad0c-3ce02827d15b} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 5872 1baaaa8ff58 tab
3⤵
PID:5556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.8.1661520455\1892041906" -childID 7 -isForBrowser -prefsHandle 3536 -prefMapHandle 4616 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {901361cf-1aea-4d89-8720-ddc97f3e5f53} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 3612 1baa9e95b58 tab
3⤵
PID:5548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.10.73635314\2137755179" -parentBuildID 20221007134813 -prefsHandle 5928 -prefMapHandle 5932 -prefsLen 26755 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28b07743-d4bf-42cd-97eb-00b3b1aa81b4} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 5936 1baad051858 rdd
3⤵
PID:5940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.11.662359343\1050439376" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5928 -prefMapHandle 6216 -prefsLen 26755 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd9f289d-6785-4313-b8f1-74a699946e26} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 6236 1baad051b58 utility
3⤵
PID:6000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.12.1100995823\999079194" -childID 9 -isForBrowser -prefsHandle 3016 -prefMapHandle 3120 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2343a60d-fec7-47dc-a1f3-a921025b4549} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 3148 1baa57e4e58 tab
3⤵
PID:5392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.13.2016576309\45116349" -childID 10 -isForBrowser -prefsHandle 6580 -prefMapHandle 6584 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {448f88fa-b76f-41c9-b468-053653b32e03} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 10248 1baad12be58 tab
3⤵
PID:5852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.14.203558428\1002013604" -childID 11 -isForBrowser -prefsHandle 10576 -prefMapHandle 6716 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce65a896-2265-4c57-b8ab-166b83b1ee36} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 10572 1baad606e58 tab
3⤵
PID:6012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1232.15.2027691821\293436143" -childID 12 -isForBrowser -prefsHandle 5944 -prefMapHandle 4840 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aaaed2b-74dd-45a9-8283-447fa4086a7a} 1232 "\\.\pipe\gecko-crash-server-pipe.1232" 4880 1baad8b5758 tab
3⤵
PID:5448

C:\Users\Admin\Downloads\LoveYou.exe
"C:\Users\Admin\Downloads\LoveYou.exe"
3⤵
- Executes dropped EXE
PID:7116

C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6388

C:\Users\Admin\Downloads\IconDance.exe
"C:\Users\Admin\Downloads\IconDance.exe"
3⤵
PID:4400

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
3⤵
PID:5504

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:6808

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:6568

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:6856

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:6892

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:3836

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
4⤵
PID:6976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Program Files\DrWeb\dwservice.exe
"C:\Program Files\DrWeb\dwservice.exe" --logfile="C:\ProgramData\Doctor Web\Logs\dwservice.log"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Program Files\DrWeb\drwupsrv.exe
-c update --progress-to-console --disable-postupdate --dws9 --verbosity=info --protocol=http --type=update-revision --interactive --coutname=F40A7421689148E1
2⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Program Files\DrWeb\drwupsrv.exe
-c postupdate --progress-to-console --dws9 --verbosity=info --interactive --coutname=C40BF52189135F9C
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\DrWeb\spideragent.exe
"C:\Program Files\DrWeb\spideragent.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Free_Robux_Generator.bat" "
1⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=dQw4w9WgXcQ
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb8bdc46f8,0x7ffb8bdc4708,0x7ffb8bdc4718
3⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3333290387096144822,1127906922890368325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3333290387096144822,1127906922890368325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
3⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=dQw4w9WgXcQ
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8bdc46f8,0x7ffb8bdc4708,0x7ffb8bdc4718
3⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
3⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
3⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
3⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
3⤵
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
3⤵
PID:6668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
3⤵
PID:6700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
3⤵
PID:6232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,5735154579958244091,11975807594952428799,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5496 /prefetch:8
3⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=dQw4w9WgXcQ
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x8,0x104,0x7ffb8bdc46f8,0x7ffb8bdc4708,0x7ffb8bdc4718
3⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,529870400568735493,6263978910616986463,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,529870400568735493,6263978910616986463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
3⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2644

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Frankenstein.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log
Filesize
10KB

MD5
cbc6e7b297471671b59abdd30d5c4c1e

SHA1
939343c335f112efb64aedc22032d47e5e575e94

SHA256
c21b97dbd459dd6e632130afaacc5ae5e45b843306aa5c43000f1d4eea629328

SHA512
f7e7454ebb4e491f1fa376b3144cff19aadba2be246d03b4076cde8aff87c70b465937fee4092230e3521312887292496fc97b0338cd4a228792934d5ad82ce9

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml
Filesize
1KB

MD5
0e17fc49675047677039ce1841f44f81

SHA1
5771003715b3cdc28ef4a3ac6141d96e370cca2e

SHA256
1913cc1925780f1f35bdd5a0dea559695acea59210820b84f48c0e7a93bec6a8

SHA512
593deec5521c69d76ae895a6e54338591ad25df9527971aaebdd22916950ba8eacd25d66cec1a500ed691e7471a5bbef1184e2dce68809c6556f605d70ac800d

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml.backup
Filesize
1KB

MD5
9aec06332bdd83ea5575debe10f3a399

SHA1
35c2c9378f2c35e775bedb3ae5c9b458a758de22

SHA256
9fcb154360cdf54791b41f7be0b5092fccdac034dfc69c7aabcc8a0f2ecc2aa4

SHA512
00fdeb3d1ec8635dcdfbe7b65eb5e4a8b1762cf95eaef55076142825229201ce7a0de6eac252504f46c8eafc7397536b33c91ca2eaea00a53340bd4284e17ccd

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\20230324160215.xml
Filesize
2KB

MD5
8a81ebea162b6e0937d7d8116f1e81e8

SHA1
b98c647b030fac5c981999a9cad98ca55262dac8

SHA256
0a278293566d84523d04c0a03d6c8214143465df2e2879774a97634b56a59887

SHA512
d9f7ac7cdce6a204b32a3612f9339efac0b109aa2f851c9a96e498605486c3dbc61011071c0fa7430fe1b064aaf9e21930e645439a3ab5a37a870649a5b2bc0c

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\cloud-client\9\20230324160215.xml
Filesize
1KB

MD5
fd4ab6449fc5c8ca4ab0d44c21027aa1

SHA1
d15c9f7df282f2b4f66d50c8ed2e20a6cb70f22e

SHA256
b81be98239c162356e7e1bcc8b8d06c54b26f8518a20f88b2436168298553f53

SHA512
2e89e71cc233283279fbeff4806627fcc4b10a90308a405d1104eb9de05d2dcc74f54bf32d322c7b595ad7699e0bc5b665420fd9460e5643b3d160b65271c4db

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\comps-revision.xml.newer
Filesize
244B

MD5
4da5b091cd35646447213ceb478e8b7a

SHA1
726cb21d838197d2909e238dd1a949d2533acda0

SHA256
e499011da0ae158ccaa7d8c645a6e4deaa5640333a0ca8df2723879094e541b2

SHA512
54950b4ad7e60eda107b22f9af4716fb4e80c0bf542543fe88ac5367ba41a6a3846af326c47ecbbd644cc05d727ab6436f5ef003ff8301586f836d1d01dbe561

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\9\20230324160215.xml
Filesize
5KB

MD5
42467a148d264fd4d5596a6bcef384f2

SHA1
78cb787be2cf7e62b5719e8e4d2dbf8e2061c245

SHA256
c187d8f35bb8d9ed6858753a164e3527b2bd6d8335fe42dc8d1ba574d8e28e76

SHA512
1f15b6f93f50f4801afe467af228e93bd769f612015da66f472fc623590c95cac88adea54e8b979fa07e0b0ba304ef7d3c1cc5acfe9dddac3ec92321c81517ae

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwprot\9\20230324160215.xml
Filesize
1KB

MD5
379e8dd5683a73a1d3ad8c615e65a482

SHA1
1e2e27ed0d81f8682041874fb0f1dcaba05110df

SHA256
7d7b23e57306db05ae7f73fa5188fe52ec1895b0650510474a366df3e4473fe9

SHA512
252d110cc7c6d7d288249d9aba8b54053ec47cfc4df79babf85c6882ee49d859c8ea6c82eb018e256cfa4eef3831c501b29af481e5def0856595ee77e6c47797

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\20230324160215.xml
Filesize
1KB

MD5
fa2f077ceabb181d6ad78b46ca95248e

SHA1
42d4ac88ac55fc505d5e5530ab9fbcb1ec5f494c

SHA256
fbe434512f9155d31c9fa05d9aa941a2024947246ad785f9d68952cffc5ff5b8

SHA512
6750a961b87b5468eaf055900eed1c4fba1a4ddec7c70262bfa5dbed6cf144fec67a3325d185a60d94cf0270822054af32a0d81355cb882d70567f41bbc8d0f9

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\9\20230324160215.xml
Filesize
739B

MD5
e2fdfeb729badf84ddcf69fe98006ddb

SHA1
daffa9bf841815c4845d55e534f503df88219a8f

SHA256
77af4634899f3f318d541284b3c0897ceb807e906013dce211d479836b195f8c

SHA512
c372e4907326909001d75eac4db9dfea47f8b30f673ed1fad2f180eb875e7c6c4b991ae507e61cde828e178efc3800b61e8f8932c415dc8346c53f2496093999

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\products.xml.newer
Filesize
1KB

MD5
4dc21f25b3050c1453a61396ad8978fd

SHA1
8d407a7974044da42ef696b6878f15399d2f7395

SHA256
3d31d486128750a0bb45cf6460ff1c38dee69cae8093379c522bc651a1523658

SHA512
6c809853b0ad11e7bd4d0b264dc2a3132934d80dd25b2b76102e27a4cd26fcf0f966661d65065d0dedb4ab113ef18e7a57f552a3aeaeccff998880eb3504ffcc

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\spider-agent\9\20230324160215.xml
Filesize
1KB

MD5
187e05284b7d2426ff91dd51195ddc28

SHA1
bb9e18440d14310faefe9dad12b4399859df8192

SHA256
9fabfdddac3817f46de1e83949db1a0c7cd16f27a06b49f9d940abf513a82584

SHA512
bdfa4f2581eb083b3d34c477e4d4c1fb3e397e6b6c86de665a270c0e26f4e339d74421a5701f9265b7d5bdd912cd4d156ca01f4c0536ffa0ca3b5464906981d2

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\9\20230324160215.xml
Filesize
1KB

MD5
392d55d08d9ed17cb0a57e719d24ecf0

SHA1
83d0522f0ffbf55c5cc9ba938985a8a238394b1e

SHA256
5b9ed33350317321eebf0e93f42c6923fa8c636d0ea6afcae11bba0732699a38

SHA512
03aa0b4e87ad2e1fbd256ee7aa654e6a37acffc81f7b21c2389fec043de0392c99faffd79a9c5c7ba523dba5303071affe6197aea2c6a9c6e7fc5d44e00c8ea0

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\20230324160215.xml
Filesize
231B

MD5
c8231203b7666f23de5d1e38828a6b51

SHA1
084aa68c9b2f6736dcadc47ec20fd17707dbe623

SHA256
f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09

SHA512
16a820145733fc604187a0163e9ade19401fedfc30239cdba962d315c140316ae550df5d335d0259ec2c0766e6eba1c9fd57e13b9c4b89ff0444916f8960ce92

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\9\20230324160215.xml
Filesize
1KB

MD5
3f5f9ac489d540abae172206b5711238

SHA1
9d224818480c088ec09a6d982f89e6ce63533c9e

SHA256
d5e84c5c23124952f7580abba448483f2d63541e2fec6e755e4ca173f5d815fc

SHA512
115d7c6fe2870972179a893e8d743438bf742fc1ba88da7136dbed98056a81e1138035260fa5fba35195438ee6ddcdc248deb68443b9bb80561b1e36ce23ad13

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\certificate.xml.newer
Filesize
2KB

MD5
ace3e703850222a8207441237170fc06

SHA1
6b43c8f784a14741c85eb18a497335a09deca3c1

SHA256
72b75ceedbdad05dc399905f7f5f568017d837712ce11f19787343654b6f6a67

SHA512
4e19cca93fe00e94ea5a63436d80be12bd5c3287df89351c105726da5b8eb433f361d70720da2c2bce57dd72215afc298a97a0436441a45c19150f1d92a86996

Download Submit
C:\PROGRA~3\DOCTOR~1\Updater\repo\versions.xml.newer
Filesize
2KB

MD5
f1594843e38325737d63c0e7c25abb5e

SHA1
5431a608ab08ec63bfc90c800b1edff975c92cfe

SHA256
194072f3c25da8b12039affd3a610cacdf506a3263ef69c9c9bb9d2fd69ee356

SHA512
da2c93eb5ce1773bb89f2119152ee07e698a239e472edd4b842d45cfc87026a81e3674bfb251a37e550589771b7cc8b855b0c268cb9db2ec7e81bd13d0d78253

Download Submit
C:\Program Files\DrWeb\drwupsrv.exe
Filesize
7.6MB

MD5
4a482dc20f7e3f4bd091929014788bfe

SHA1
8e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc

SHA256
f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105

SHA512
332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd

Download Submit
C:\Program Files\DrWeb\dwservice.exe
Filesize
8.5MB

MD5
472fd8b43f4de42497a6e16a3f914a19

SHA1
2f587b11c117d0bdaa9731539b79196a492253e9

SHA256
6e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c

SHA512
16d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee

Download Submit
C:\Program Files\DrWeb\dwservice.exe
Filesize
8.5MB

MD5
472fd8b43f4de42497a6e16a3f914a19

SHA1
2f587b11c117d0bdaa9731539b79196a492253e9

SHA256
6e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c

SHA512
16d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee

Download Submit
C:\Program Files\DrWeb\dwservice.exe
Filesize
8.5MB

MD5
472fd8b43f4de42497a6e16a3f914a19

SHA1
2f587b11c117d0bdaa9731539b79196a492253e9

SHA256
6e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c

SHA512
16d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee

Download Submit
C:\ProgramData\Doctor Web\Logs\setup-starter.log
Filesize
2KB

MD5
f18bc26150027a5cd384910da36216fe

SHA1
ef83e69712cd631a38c3878363e775b405b9858e

SHA256
b25b8b26ad3150af059aafd25093e801e535ee8cd4a561836e2cef4ea184e93b

SHA512
3338dd21a89fdde4d85e84e600b733a7aa707280fb8c86aa29b51dc5938c6c541eedd0901aefc1c2bcf53bdaa6b8aa62a8327481caa9752b75670798ec495d2d

Download Submit
C:\ProgramData\Doctor Web\Logs\setup-starter.log
Filesize
4KB

MD5
dbffce3188034d86d8326f16397fb731

SHA1
99282fbab302bd3dd9c3be87786029e9543b1fd2

SHA256
94434b15c00ffc97201922d8153d13566255f519e5bd0ba8b3bf2f4732ab1316

SHA512
13b0c665bd639371e0b21b4eb354d5ffa03f77719012d5efc3c073b9f71ac0e67144794e011ab4317c45533dd2f20bb1bfd65f41b147c948f51302c67badaa0a

Download Submit
C:\ProgramData\Doctor Web\Logs\win-katana-setup.log
Filesize
4KB

MD5
116b96e797c51d698a5a7fee099e1c6c

SHA1
7e838183f3cf5fc394f57857e785db3d53224470

SHA256
7c98a1dc2184a6bd4c57dfd7ccf3c8c644b8ae54308d3be4f71d38eac819fe8c

SHA512
d453767c456ab822c6da115417243820a5afeeca4b3aeb19fc92a76acde552b1a3b3893ba0fb3bd86ce22b838d24a204ab2beebd4d95ab39a2510cbe4c667229

Download Submit
C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exe
Filesize
7.9MB

MD5
e5cac0467169d34fcee3c86595c570bc

SHA1
ba851755bee82c83d412f162250717d23732bf5d

SHA256
c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17

SHA512
0b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\common\drwbase.db.lzma
Filesize
4.8MB

MD5
04e49ede35e457e11d3b75fad058b9b0

SHA1
5ec2dfd7c9ed83f172acbd2ae1577583ee750b04

SHA256
8f3fc74ea6ce6781717b0eb0a2048dc2ec3e729b5ba3d77c3eda673c32510f67

SHA512
5f9c35eb2870a74b2664c6958f2e73abdae6110e0b09b3e32296fb42d86e61bf9009af4a65ddf5236b6081e5854f6cbc66991c1d629d5f41518a279c25143fb1

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\revision.xml
Filesize
2KB

MD5
4c7958537dacacf53935846adb90e2de

SHA1
ea3ced9f7d7be90cd37435d0b892e7a66c91bbb4

SHA256
316335e1dc5c503ec0671afa2ef916186121b874c149e5a2586eaab8e7ab7cab

SHA512
30bd0fc6e669610bbea4c90952955f7d8e78c906dc248ebb68728ee82a319e2f2d9ad2d9376f3b583da2ec6486eaff2d804b77b2f82732442618de4dc61036ce

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\script.lua.lzma
Filesize
1KB

MD5
251851e2cffafd713c350af83cd2dad2

SHA1
6d25bf1c365ddbcf3b0fe08785e4d26341adea52

SHA256
ec76aecaf2ea2948ab0da21ef5f197a6128609c6c5ae596963a1b65c7b4b2b8a

SHA512
cfd2e8d8742f1f4ee4824ee1b3f5e93860d18b054e5cf10161fda247d451f5536cb60bac1e2dc6bf70a0aba3c3c22f18fc48dfd453fe8776ca2492302ec375c2

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwarkapi.dll.lzma
Filesize
1.3MB

MD5
2f2998d350ac2d30639ec0831b976a98

SHA1
dc75444492ab6f35839122cd0124ea9f359f443c

SHA256
08cb6e60d1cd86f8b24dc95c6a744dcb5dc42029467bead2a4401d9fe80dc8c0

SHA512
d76457e8d79f27f6bfcae6c78dd44cde6da49cdd3651667f01a7925a650c9f01ba5338b229a91cdb8fb0f11dcccbd45d6ca3e744f6fd2985ba1920405d1c6c50

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwqrlib64.dll.lzma
Filesize
278KB

MD5
9f507e343805a31ae6674ee83fef3347

SHA1
185b4c5de86a0c5dfc9824f38b8e47e53a700ba2

SHA256
5cb4c0086a33c78c48682324f3d6b0d2cf45e041523cbf060ad5985f0d396f82

SHA512
8d91cdd4fc76dbfa5ad454ad5ca2703807f600893bb51c16f596d951b9838669a94a4fef4d77e2d53b7c88fa997f7d41a65c4f3bb49324627a5cabfe88350d51

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwservice.exe.lzma
Filesize
2.4MB

MD5
66bed6484dcf70cc2acaae1681242e16

SHA1
01d41eae0b7f241a9236ef8c02572e606f7f9df4

SHA256
ca79420d01dbe74540967fe6f31d5a49c280d3341256585089ee3fa0cfadbcfd

SHA512
e6fa6a952b9455043c2711b122bb17305283f084b9d57033691e948999d065f87c6633812aef0dee37a01ca2e8e319f2908538778df3f0de11d7430ee54d61d7

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\revisions.xml
Filesize
236B

MD5
eb955f8e7973e0c8b2c2859bc58145df

SHA1
acf3cda0d9cb9ba4e072d847df17f0bcdbd61f76

SHA256
b9228f0cf7a0dec93d9f5b7ff3c2dbb878ed36447b5e089c4109b8dc2535599c

SHA512
29f3a7a993ad9a2dad2e423a5a8ef24b3eecd1b02b76650fd98f665f451e2cf2c15f52ee45212da3f3e4eb52bb0876d25756c297d4af75d97d1710044058e5da

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\revision.xml
Filesize
1KB

MD5
9174569271957bcb6bbc57b2253715d7

SHA1
22b8a437886de85ddbc78820f32355b5c2963d31

SHA256
754788b592c2dcc4cd9aba4afdd9071ea81765101e92ed770bff62e0cc452b08

SHA512
93a9698ae71fca7efd56d5fba2695dbd0fefb2f9737cf214f6314e43550bd267e81b503c1b49ffffa30c9e9d060068994fd6c43d5d591797a632fea2a0150a91

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\script.lua.lzma
Filesize
462B

MD5
3844830e44f7997d0475f43b90d8c010

SHA1
8995fb30c3a70064ba0125120cfd3ac4c80aabf8

SHA256
203b5f3d3ef0efac1a46b96869e198f909bc8b9ad35d46c0e45c0514135c3b66

SHA512
576ac483a30b2d02cd20002e0382811a73ed59d743c9c84cc1f461a580594678f754aa13fb19f3e9d7975128e803eda6d30fcde599ebf9c0c8b481cb30a0f050

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\x64\win\nt\common\ccsdk.dll.lzma
Filesize
2.6MB

MD5
20d0ad5657a1c0a393b16af430ad2685

SHA1
95190b1b2993a82a6ca39d2c72d894eb0d0afd90

SHA256
4f4934cfd84cebc345d90bb25a6ca3aa83861c20b9be2ca780b6c1edf9b9a388

SHA512
f434b120572ec2b7902968a941708f1e79dff72e08a7bedc0f2ad8cc1d30e60065871f483e48c56b1ebe2a4f5223509e0563cee4fd4b4e901b46e45df2af9e80

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\comps-revision.xml
Filesize
249B

MD5
297e7df4a2bf24e7f4cdc7c735e4b925

SHA1
4d787d644e6c261a6a33128fb95886a567e9713b

SHA256
71c4225140b5bf75f6cbd7b7f0c55ebbb7aa0e4b88a48dd518a28ac66bd4005b

SHA512
380c3c1e5d702549fb921f4871cd0e4c50d5e7928f4d9972ea257604cb74e695ebe9a9e7ece81e7500a44db2b3adadc122dbb9ed0a07dfb56d94c7b6059d6a4e

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\cs-drweb.dwl.lzma
Filesize
41KB

MD5
7ab5da4f1361653fd93a846e603aff0c

SHA1
8a47bd5b45dbec060b0ebf1e1115f38f93dd274a

SHA256
96523040f9aacad60581d6fdf49f00c568b8eec0472a946374ade7f51a2d6eae

SHA512
d6b57275245020b4401ac478724dae8a36785d8aec8537f145e85cdd9c67e466de5053a7f68d3528600d7b1f0414b9837fedd29f3ec9e715e54a2ff0db1ed937

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\de-drweb.dwl.lzma
Filesize
41KB

MD5
049e8ffb93161e38eb21f1f42f9c6689

SHA1
505179f88e0d5f5bd05a70ac5acb49a9b44d42d3

SHA256
aad3fdf032f9269b45f024431a180040e08823fe285a4a60d20f0bdcc071ab09

SHA512
279104e6c445e53487bf0b5552bbed42a9bb8facdd49fdf79fb0db9e20c4de2ef08150b7640a3e46bc7dd6f460448f26d77b0838808b49e6a15192ab5419bfa9

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\it-drweb.dwl.lzma
Filesize
38KB

MD5
e9b12908bfda71373c316eb3bcbb270c

SHA1
61fcb136b2e89be78f392a112274cf0a0f045939

SHA256
ad2eb5bc3329343b22fadf8a8d6325d715bbc37d7f0d9058b6f2155f2f7ed59d

SHA512
20dab4284398da4efc469b88c7ca0b08719cb79891b24ea6d1415d1f730b63c701e4b47d17f05b28320e46ee5dd76a6b66391b1a4bf4502b24f85551bd325a33

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\pt-drweb.dwl.lzma
Filesize
39KB

MD5
90616d30696476221f827b710a0178d0

SHA1
0c9cc78f4b48cba5264f04911f1ac4c201140e34

SHA256
c2eed04088a85b931f9f51eb8692036fd12609e9fa420366feef13e2b2c0cbd3

SHA512
548fd70e171ebc321ca2a48ee74033107e6511e50452782658f632696a64a0b97d294d0e0e99a314460bfdf5a0d017f4644616f5f1416c623b16755fc13fe714

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\revision.xml
Filesize
5KB

MD5
f9525237ba6d6768afe0f49508d725a0

SHA1
479018a939018de59a65e73f8e6ea9156fd9b0fc

SHA256
e4a98b1b58dd2476df3decd3872e11c72648f5aff479abbf216054529b69a5d1

SHA512
4149fe8c3b56dd32ab0304c8ac0c2f1ed76c439f803dec6cbfd7cf60e88e4549fdbcbda385c8b29aa5f51ba8acdccf75b01ae6323209de5c73f6ff0fec04bb85

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\script.lua.lzma
Filesize
524B

MD5
a2337f03bd68392d866278b3c31d4578

SHA1
2f312047e6b534fadd02fbed65234a20eb9f3096

SHA256
e2bd01b3bb541aade542bbe4fd85f454031eb76ebff0f9088cce49a601be02f5

SHA512
c5845f5e67926caecaad671f787eec439cdfc60d15c400c2895e59575ff7b99bbfd9df28472cc89b09edaf32ca0bd4ac05b71fa2a00fd2ef0e64834f06bbf518

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\common\dwsguard32.dll.lzma
Filesize
69KB

MD5
7306308d379202292d0f6cd12c3fd501

SHA1
16bc9271a1a6f1ec9437a0f72bd0b49835b9a721

SHA256
bbe8f592f577e4e3e36137bcd3cce6522dc7d9b800debf72d5779cb851a61fcf

SHA512
3a24572c7c402e5ce6706a1389398d297bba4c84654cb97f76c406f8def3f8ec3e0b7ae58cb1e6b5a8a72e9e6439fb13defc5c8e608dc92ace26024bbee10883

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\revision.xml
Filesize
1KB

MD5
17f394f09e47410f6beff11570e0e68e

SHA1
1e223237b79faef92a76b4d90e06ed082ba38875

SHA256
a21a077311fe36f2490d6a407ada86fa8da918ec3d3cc548585d3641390c31b7

SHA512
1cd63e62e976eded5e65a656af4074352076f8f16ddfe3e5395929f4176fe3f376d1dc180d142ed4708bfc6d363ce2f14f53f2c31e5af0d134b847f4251b8410

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\script.lua.lzma
Filesize
2KB

MD5
5bceb7e4567223617b59edacf9a51d95

SHA1
8753a6f6b1606eb5a181009b48b69eb9745be7d1

SHA256
55a8a2193306d222d4e230a92fdb5f642aba66c8bf37909d2861caa878ad9905

SHA512
6254789e245b6ef97d667981b2488376536c740b12760a1282e528ce5745f4714791e554549f24ddd902bdcc644c2ec9ab39ef8cd7c24541e850867ff51a207c

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\x64\win\nt\common\dwprot.sys.lzma
Filesize
249KB

MD5
eb9b4dd4de1923c64e523ef7d4deaff0

SHA1
9d2f387690ac7ecd696071f904e1839ec353485f

SHA256
301c83754752ab38d213cd83922f798db8b580b1968fc7f4d5e4f303ce8e3290

SHA512
6f7c4f1532792399d6178f8ffc5be770f0b3a796392f0a3770586b5ec1cc9f44866957add93e7f01224edb755fe9a628b8543db9b76a6d809ca822bdbcb0f98f

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\x64\win\nt\common\dwsguard64.dll.lzma
Filesize
83KB

MD5
aeee8038de6631da6b5d74c751ce5d4e

SHA1
e30e11a1ce2550a5ea03e308724e5e927474cf48

SHA256
0710ca69286a8e58070b49f3bdeb2593d3ea8d50b77e42110d44d2e8498f8cbd

SHA512
c1344e70720c58b1246e998bd1eda248f855c48b424911ed24d7b9347d4ba618fe19e9a0673b9c710bc029bb3d5bd6e3352883c9dda4ba60b0a44a030d68d85c

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\de-drweb.chm.lzma
Filesize
113KB

MD5
a9c728370fc0efbe9b036289ec46e638

SHA1
0d0ba07e4a3d1b5526b1adbcc0c0ae1e626a1876

SHA256
bafe80fe795454946a437f63235418fdf7add845a57146df885aa559ffccfd60

SHA512
02ea7eb83acfbf535eeffe3b23d45e733ba6d69eb3c043c0f998b20eaacd69c7fde976f8728f07be6fafea9e66189b21f7fb5ebe8dcad0606c255a41851e839d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\en-drweb.chm.lzma
Filesize
106KB

MD5
5aeb18f494e844129a31aa58a2d16411

SHA1
8e6f07eb0bb304eee7cc66ed1300ad40a3bee6b4

SHA256
32e701c7f8ff4fe1f3f7b7a58998d94c845ebadb76e86ffa9ad3d7f010868a7d

SHA512
e0e883fb92e98fdd3eda7f47335af347cda8d17c51c324b72e3eecf3f53f851d120c413a641263297ac5876fe8bf131ff5de03aae85e9ee81f60db07478e9a76

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\fr-drweb.chm.lzma
Filesize
112KB

MD5
c5f885d811f30d09727c2922eacfd835

SHA1
57277ce545d97046cf34f2187b6264b70571f589

SHA256
ebe63a58351ebe7bc54a00d0aa006ea2a91623399af2ba77a30d386ad10af503

SHA512
482ce180ba27be240980e0e56b23ed4d91bd74dbffc14e1e116d2ca3e9c4726bd65fb383d088b98b75dc22d9e5f366302f2c99733d444aafb0aaba593dae25cc

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\ja-drweb.chm.lzma
Filesize
116KB

MD5
48f186ac9d1e943cfdb70edaff45ba85

SHA1
8212996939676398c0d5f86ce00022ef156c6698

SHA256
f3f70514490166c6aa2fa32823502048f7bef193d1d5a841395699c6c5d2d775

SHA512
eeddb95ad6f2434d180b294b158d35f0032a4507cd4fbd2c94e1586ab590aba15603241d6a90282f72123369db50e36a9c4766bdc5f841d78505228dfd28e709

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\ru-drweb.chm.lzma
Filesize
174KB

MD5
38381d7cc99a4934ce54943be1d9a090

SHA1
273b6c27de75d3d8a90c9743c3587f8efe7c95fc

SHA256
bc18a275e1089cdda1088b7f10a3856d4294c4bd4cd8e85b87f2302cbc75bf09

SHA512
a7bd5e09d2efd7d2712a1998da785cf1d8d9ff16054b3f0db91da6e741fd7b70b5b70a4405680691c01bbbedb912181fcb8c92a7ae59a63e56d19a1fb4f905f5

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\revision.xml
Filesize
1KB

MD5
db70ee1d85a8792c2eaa7a26f9c8f74b

SHA1
3c2c280f04cb92d5cad31b1f2991d70f8cf0958f

SHA256
fd9bb67dd7c49518211e6f97ce1058cb15635ea78a4eda9696415dc619b0d570

SHA512
5d54043e1e0f0662144857067e32bdc01f89f4a31c76b708efb61ff648271e01ee9edb1393a6c00250d6dfc74cebc83f4388b817b353577b69244fe803c49bda

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\script.lua.lzma
Filesize
987B

MD5
9892203958ffec466d49e599d4612daa

SHA1
4be64e0be737b3ae7451192cd3faca74cd254918

SHA256
81ada52a848442e2259f2ea630a927a456ba334d056a0e5a6aa40c5850f2e71c

SHA512
6ee75cef3ab66e0eabbde458d0f852833fff08c224ab51857efe2280c5c6573233900f797bef96d65fbabf169f7a9129c30243de5693e507f06cb85d3947ad80

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\help\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\common\katana-setup.exe.lzma
Filesize
2.4MB

MD5
84ce3ff29082706bb985b0ed5a5d6c0d

SHA1
d3b89d48b2b4ac1f78286328cc707a66a73da048

SHA256
eeb559d9ee1bc38efdfb882d02dbfda0bd8c81ad3e5f8533458dd0cdd3025726

SHA512
53c34c0f073ac9fc386a7e33d3ec13d85315068a3105c9ed498cd5e0409193cb0f5360c61363051b5617f87494cc32a520c8bf6734bb64b77e476e432124d23b

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\revision.xml
Filesize
749B

MD5
3e3d2d191716d04d3acabcb52afce16e

SHA1
c865b5b22487c4ac3f6540764cfd2be317a78ac4

SHA256
9697c2039359875346bfe503169bc3081820da10f0e2e2e12a1be7e53995b451

SHA512
6f5f079dbbd5edb176bc41771b6ca6adf7123c1bfdacacb0f424583b5d84b981bdbba858af29f87af1f0403960c4e1ca584012e13406e454b3f1a123d449b033

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\script.lua.lzma
Filesize
1KB

MD5
cc82c852b9bb831ff47c1ac673a59bd3

SHA1
3f07e3776b8672459b9e21eeb36ea9218ea176e0

SHA256
65ff492ea8ce1ed95f4e39d997c004d079f1d3c1e355e9c4749eef691d303d87

SHA512
ab0ecba04f4bd8c5b88eb178d7a73c0733059087aacfb9223efa816084cb4ddeb836d1e3a4e7244cef684c1f9d2b58a844dcccae55aa5af1d2d0bac7749d2737

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\products.xml
Filesize
1KB

MD5
a44d5904c1d013c49e4bdae057a6f2ca

SHA1
74cfdbb9bc23778c510b6617fb85efd967b6c103

SHA256
142768c942112ba3e7d8fbf09c5012e6a1923ab300051b5851eeb188dc34dcf4

SHA512
5ee3ad5fab8853fe4f3b953dc8625c1211eb5f9e3a0a08d800d9387f24f96886ebc9b6d3f776e0279bb59a0a47054948208272b4b744433f1171e3c6a30b8f53

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\revision.xml
Filesize
1KB

MD5
7e09f13dc000df42b18a28610b31eace

SHA1
129951474df5f303571d778aae66ef82aca796b1

SHA256
4def0fd7533b6ceb7ed7389c01bbf6628d0b763fcbb590aa6d7cdcfabef8473a

SHA512
fa262dedd923e25517112fe9b0625947ae224ef712aed985d477e60406dbd56a2b6413d5c30b1aa6c775ba3e7f789b01d75f346197cf16ff0f453776743cf1b2

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\script.lua.lzma
Filesize
1KB

MD5
73a8d2036bf1f133310889ff7ef4c400

SHA1
a326342810f2c9195a0f0c20efb5c9d8f1eea717

SHA256
28325275358d650c048450595faa28c264b68931b57ac4f42d0367e81bcec468

SHA512
79703fcc983e93bc7d3081de6562815c10b2b4b8b3d43e06f15ac04e00b8f40164770a75cfef5d43bf262d7e254ab4a69085ae7376a469ce62e4a0c3653185a4

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\x64\win\nt\common\spideragent.exe.lzma
Filesize
3.8MB

MD5
051bc19824463b6301c43e010fa0e79b

SHA1
9a9f8116e09d52fdc9b09f72a9ca3f0b69f1b181

SHA256
8f42bf770c2c3dcb7b300adddea87d4cd2050b8951f77ef8fb7108879fddeb2b

SHA512
f090777b7b5e2f9359caab390874e90ad495787ac1d8ff21f42be1c866cbfd5e686c0fdf12375438edc1ba400115586c1d22bcdef6fe0ec073deb5a6244914b4

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\common\dwsysinfo.exe.lzma
Filesize
12.4MB

MD5
478b78446479dc7a6ea70465e7b48a50

SHA1
09974a76f17f726c2d11d57ae6fb91999d0ce554

SHA256
7644c8644d579d60e7ae7f88e588642c503d2855ed8f8b8a3e9da32a403ef53b

SHA512
44e2bf2e51c34ac5eb52c0372e65884cd9d9097432d685a7e7d6146dcd405cc56dd83208f399b5db1fa48e8dab13986a346683debf2bb6aeea8f1c848fa8f81b

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\revision.xml
Filesize
1KB

MD5
369180c022bfb83cac82ec902c360498

SHA1
c7b58c8e2ae03e3eeaffece6d61b3861280e0601

SHA256
56eca5cf64e80f1384f2d18d7091199b223a77f2cf7c4fdcdc8c30586b78a947

SHA512
d96df43341a550505116916a9af424d4ed7c56c995126dc84742abdc25cac5e931a5464adca28f1adcefd50e5fd4fa21aa8b8200a4568c4737ca7af40d2c63ac

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\script.lua.lzma
Filesize
331B

MD5
e860629b8db2db14867b7761337ee4c8

SHA1
1d975b5875e49928ee2ff50a17e39d60ae5d9b30

SHA256
295a5f0ea20b99d3d0f744a9f177136fb23ea05e6d5e29cfdcde50c20b816afe

SHA512
80525369fdfff035aa81e7e6d964092567735e58a44f10061ca6dd29bf768b54eae23b38cfbd4c91bdb1538f61523b556e5be959556dd2092c844647266e70d2

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\x64\win\nt\common\dwsysinfo.dll.lzma
Filesize
261KB

MD5
f2609cbd505504dfb6de4e2d6c55d9de

SHA1
c93d479292457bbc5f35bf02fa347c2b2fd357ba

SHA256
ed02f519afa2998ebbf06b64799d180407320d1ff94abff0bd8bbe63405960b9

SHA512
114493922e5fb6127c322abbd428a865b3a8045846ce05659f521d43ac61ca1278e53327209f60bf8665f2f4889d5ffdc187fa77ae455bcbd0a21c9b9ca9161e

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\common\drwzones.xml.lzma
Filesize
359B

MD5
ef6c6fa2c710eac4563ec5b33d0f6e47

SHA1
4b8fe71b9e6b3de74a1ef5e287f60b726300e4d5

SHA256
f8eeb75bf35e589df864c887f36246e2e05229edaab2ac64e0d59645dbce0161

SHA512
4e9e452b0c5bd06df2a7cfdbb21e9497bf9ebf166a0b1e55925c847cc0c4bf3969b0f21f5bfea4a74fc76617c4127fb6fd73fe40f844b6f76fe7838dc21b06a6

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\revision.xml
Filesize
1KB

MD5
2d8a6cdb81c8756f29308b7e8edcc9ca

SHA1
654342565c1f7c4b308a3b3e368a641fb7dd3f6d

SHA256
d5404c911ac49519a255592a8f6105e0740198a534ebe0e193d78deec5df93cf

SHA512
9b42a858823d9c3298edde8d83490f228ac53c92e5635d49bb7c447550ce2b5c5ced09741049e90fceb9b21a0e0c0ab47fabd2075716c24e4443fb8efa4579bf

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\script.lua.lzma
Filesize
1KB

MD5
fa4f4a433dd5241b76e10bab3fc1ea00

SHA1
788152473abaa7241f25de7bf41d90ec0dda2ea8

SHA256
8c2ee7791ebe61aad9b7f2e0acd6ab0994706bda616fdfb64c9f60399576cbb9

SHA512
01a321832ce6fdea61ad95c1ab8ff9a678325dbf60b1bb61db6ef4ce887c6b28457e20fc0e6e03441d14b62cf101ce09a4ff26c139ac4dd39cbf74f04e8fc0ec

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\x64\win\nt\common\drwupsrv.exe.lzma
Filesize
2.0MB

MD5
b9fb552d405e69612dc00712246fe16d

SHA1
38625b1379d89e807a015abbdd622f19df8dfe01

SHA256
a588302c2a397d473f93fefd69499291d12e5bd2a2aa781efecb6abca7eee73b

SHA512
2721b49d57b7b15e582a281196c22722be03eb7ae6a19a33ff9a829efd080dd2a3b1bd0b4184d4025c2fe51aef31bf6ce3865ae855c53f35e431b463f81ff0d4

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\90\updater\revisions.xml
Filesize
236B

MD5
2e9b7ede7e063715f978750d1b0943fd

SHA1
e5221f216f3595f2d2f9485d137eebcc076ddc13

SHA256
e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217

SHA512
1d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\script.lua.lzma
Filesize
9KB

MD5
c5cd9bf0fdeba147c85075cd981d61e1

SHA1
71222d789cf86dfbf728e76e42acf168a4e5cad1

SHA256
56c06faa87d9064eabb6ca89e5f8f1025c689d8adf025235d670b739d5c770cd

SHA512
2905108fd109a09bf34bb94d1fbdda02af6ef23a5c627f36247f8b2e119fe73dbaa0f4ea121015cd77d68096cca097f8d700b295740af1ff9dedf94b0ffc4621

Download Submit
C:\ProgramData\Doctor Web\Updater\repo\versions.xml
Filesize
2KB

MD5
674965d7142de890e2c0cc241cb43734

SHA1
908ea8e7022ec596e40acdd7767e3c5f590ea273

SHA256
b2ac1c67067b71890d2b74e9c6583fbf02f43e6a7e990972bae14a8231bf6f8c

SHA512
585f8a7ff8b55f2011d3208eb40fb14ca4ac39254e7e6c34f95f01c77106f6e124abca44d02897ba94ac74d055d40210357da1ac515f7672a5ad0231c27b2634

Download Submit
C:\ProgramData\Doctor Web\certcache\authroot.stl
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\14fe8f57-22b7-4a48-9588-4e2203fb6ad0.tmp
Filesize
2KB

MD5
765158f32068092fefbbb7be237c137f

SHA1
4aac90e859e522010ae822e05849b681201b9df0

SHA256
09eceb9329ae2adc3a2d18c08d4028476824204d62299c3e2d5185db3c26aebb

SHA512
84f3165deb6665f889dc44bec87c0260bbdd4da6f597acfafd8a0f3533eac274c35c948b42220255f42e5d938218cb852b5d78ba8cbda1fa284ccf7f5cba691a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
50KB

MD5
40333c9d07daab8ba8a53f73ee3f974e

SHA1
36c2b17a7c48fc28036534f445b79fca9658f0a4

SHA256
998313664fbeab2403238a77e6c50a4541d20805b30533f67de1a12c624fee54

SHA512
4a893bf97a02f88a3ea7830b5f72eb56295566a2c6ceafa33fd80f74f81edadbb4172f71c0e12e4a06b1e927f9d7b0cc62c5ba070cd50f3f25c8b670a1270de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
22KB

MD5
a34c77847d7a957a99edaf10a7deaccd

SHA1
1619cedec658842283a7a474adba2efdcb0d3598

SHA256
ebee5d0011bcd484c4e7067822a1bcac208a0d03a33fced5c6a222666df67350

SHA512
afe20d031816081eba10587141518fbce91ed5f3b44fa002a593f784603d4b2007c89713cd6d9ef3eee3ecb8b53a57ecd078826ba0fcc5d02f2b7de814dd1b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
612KB

MD5
a583b39f19252d5e929044138520b689

SHA1
51fc5bbd8694b72756de25fc60f13151d132ef01

SHA256
0123ffed642c61e4754dc6b590a20af667dc7d0b4262335c8b4c46e562ad3823

SHA512
434f70f7361014f9d2f87de0c29a2c2d1cd240333e99a4a61722404534783210575594c4ab996ec60d682157ffd5b2b87278cfdc9a2fbaf08213c42f1f1e1a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
1.6MB

MD5
6b1275d40a481add93c024cee90ca5c1

SHA1
5393a6451876fd627b43f451a5767c11b38ffe84

SHA256
409a5e4ed7ad0a59238727004b97f28657620bf01d1e400d0b28dacec50a777e

SHA512
fa06b79912a9be3888eed4b1d8ef9427918f64dec0ea40333e9baab12d8f807c6874a23ff4c86099e44d7c41cdd20a1a7e8cd34d71728f6b0ca6c1ac6520958f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
26db1c12d3db84a6e27ca28f9c133135

SHA1
aa69c0bf61488f3c47de3fef4d8e1c0a6148e846

SHA256
125246edd67d647e269f7871d061cf9dceb6b6b4a93e468b2fa5a5558cc69be1

SHA512
3cc64d9552db9389d68253e58f4b806931571120a2a6d137587a08f0bebeb1841bf48e472109ccbf87c3cf6df22f6e16e4a04fd5082a15f3c0ba50a87da6894f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
85f768f3f5d47d68105132b36739b470

SHA1
feea1f2a5d87000334545527f6528ebadce85f6f

SHA256
f6e262d511b0cd389417e091dc31b8c1c7a8bc68c62c9cc0c395767798c1ed83

SHA512
52e19bf0b3ef8777c4effe1534d82e5d1870d2c6255783d6e2f4c7f07ffd3104a017111373ea1dc830d25c595b9be899eab02ce7198b0aed794627e7e0b35437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
50403e7a061923bf772548dd3c2fd00d

SHA1
6da96f26d18290a2b541165e42c55c40624e3c01

SHA256
865b7cfc5753508ed0ecc1f966d5db4dedd8f8940f668e0e0160f9ae38d1777c

SHA512
16ab6942f3c96b72884a3144ec8acab02316a1dcedf33df30e7a37a9d495f23d2fb11dcf84c551b0c0e16fa571af97d8b2c930f2de16aca29ab413154e1bebcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
dadc1f97fe794c3e45693ee8689429ee

SHA1
f7dd31983b324a718690fa5f2e35768b8d3bb9c2

SHA256
c05fcb0b59c6ef72b76791aaebaf117d161f18795a633df73550113e328fab0c

SHA512
9bc73dee967dd31292cf550e800553c455e8b1730aa3435b181f512973b5b84664c7cee965a34f5611458215256e71a20ca14c310101149445df6353d8189145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
548d6358c34c4470638776f17947a973

SHA1
11c8baa8d872dc2335f8ff5d5835f01f9da4be78

SHA256
852b6c0773cf33d0c89db3b4d8ff9d5cce1c04d379d300832367d95869505701

SHA512
0212694fecd8d82cfc28264b3f24b7fcf618b82e2e5d39da53dddf847640a80a76fa19cc24006a8b6200be6086015d9056c5d8ad439f5ec11a5dad02c1976a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
1fc0813e3302f2d969033f34fa3ee82d

SHA1
2810eda2574c4891c9af435af026046dc7c40701

SHA256
0113925ee17086a8303efda960a1594ca882c3d354bf2c337088a3a628b159ba

SHA512
ae927c9d3c51bc477bd3a8f07b4a2577300d8d416aa6de31825d5bfe9077c53ef60a472d2d0369ccc0d9d6147e39979dfcd3fd4846b8e5b56e1aa48b4aedfc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
5b0f6cfdfdd6b3acfd5899ad56006ad6

SHA1
fbdc22099d19f6ab5377782c9bf43e2d33b596d3

SHA256
488e6022274c599427e8c10fa728a0ce1414a16fc8243ebd905026b5ee4487a4

SHA512
3c02f4d604db8eaf0e058aeb5a652ac90ed92a7f164496b178cd97b5422d39b75b72f973bdfaeabc8103ddf688bb39d4e71948e33201530bb334f43a30925f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
19fe8863bc9c167d695b527bb12f55b5

SHA1
0ae69f85bef5524d74e499c4cfe85402d4ea50fa

SHA256
4b470f32c751eac6e188a60b2ffa324a4b1cd564a441dcd2692e9bfaf7546edb

SHA512
7b8c95b094d50935c1457b0f9c3a954d4071532718ea66d54cf10b94a3692c2a64291927943a824c47e3ad882a3e69e6588d3d7435f582d10d5b0cc4296323fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
164KB

MD5
08fb52b3b3ac784d3d47ab521078d798

SHA1
77335d64dfdfe5d2c8480617842e2a4919b59519

SHA256
09f83ac0ccc086545498526c77f2a8d159c7de72746bb7d2f2c8092c27ad529f

SHA512
2f95c7ffd29aa66e175c143e762158596458baf7183dc7506ea95e1180f53553d8d5898db3355ffc8e5f62aa5fb82b14290d976fa5fcbe418f3127f1a6cc2ba1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\22745
Filesize
9KB

MD5
a929cec1078acb51bd69fb26011081e9

SHA1
e25f44fdd50ab39b29d6e82ad4bb10d7d934a37c

SHA256
20f979b347235f0032488190b955e911e63814fc5c92711ec78db54fda33f75e

SHA512
7ce50fbdb5ab46337c6d1307ba3d990c00ebf2b8a2f8fd7e02d0cd057e75eaccd41e1be3b51b83d137afae0d3fa19a990cfad68a2ed4ba8b5ff03fe14460ed3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\8380
Filesize
17KB

MD5
c07a4ea1e73f1c7b79f5b2c86a967507

SHA1
1dcf354b7bc32d7c82f0251ae34a3ad685b6b4b3

SHA256
8bae678c9549a40259b2fca70c70b3e149915b75677fb140284ffe5adc2dc53a

SHA512
428ccb7ce9c9b8a6dfc36c9e527cc471833081fe289dcbd737130add75f2aa87ba357791197037aa0c39840ec629e23fa3fbdad6f49a42fce01ae3b47c0bd9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
Filesize
7.6MB

MD5
4a482dc20f7e3f4bd091929014788bfe

SHA1
8e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc

SHA256
f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105

SHA512
332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
Filesize
7.6MB

MD5
4a482dc20f7e3f4bd091929014788bfe

SHA1
8e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc

SHA256
f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105

SHA512
332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\drwupsrv.exe
Filesize
7.6MB

MD5
4a482dc20f7e3f4bd091929014788bfe

SHA1
8e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc

SHA256
f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105

SHA512
332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe
Filesize
7.9MB

MD5
e5cac0467169d34fcee3c86595c570bc

SHA1
ba851755bee82c83d412f162250717d23732bf5d

SHA256
c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17

SHA512
0b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DD224D8-FA8DE2A9-8691B6CB-8AC62588\katana-setup.exe
Filesize
7.9MB

MD5
e5cac0467169d34fcee3c86595c570bc

SHA1
ba851755bee82c83d412f162250717d23732bf5d

SHA256
c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17

SHA512
0b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
257B

MD5
b451efa2021dc50bbf5a8f4a3bc51d2b

SHA1
eba975ce57a9b8808a41c8302edcb4fa0a9193f1

SHA256
29116d7ad2bfb4ab3e51c8cea1e5856a8a5981aac3154b9b7e968ba57042bf86

SHA512
ed5468c7126b6d03b1fa9f8541665ae9a1dba0d2d90a2ec4d5520f4e57825f178036a630a603df46dd25f465e257b770a92c6592b197528102e1e8ce8ef3eda9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
679a7656634897f625f076776732391c

SHA1
acba055bb66e5f68a951c9d5f25df17c4bd49152

SHA256
c81423281ca205406597978eec907aa3120a491d64f85f3902017b877baff046

SHA512
6c93ff967a36a148bab9da9f6bf631793a861a7a30c588b48c0ddef26f8748505193137aa3a375fc9c2d7bd7161380a69dfe73c9e3c8ba4476203733326e55a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
18KB

MD5
6728977432462face4011a0b139f5213

SHA1
3a73ef3ba191d37b3d8f34c16a591a0d7539d37a

SHA256
7c7fbf0e9e477ebaaf3b9977d3d72b4d7467742da8fecd07ed20829ef2c6334c

SHA512
cbb686c07bec51e5ad9fca014abfe01e63ab6380642f9adf80fbf30a8aeec8c1213066ead6b1138e4d60898c328b439cbfe4e05e67b07d5f83c34ccd0852b1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
449617b9b1540a6d256f1257be5f2dac

SHA1
9d7e0b19c35aedc84b2989bbeaa2667e23a32fe4

SHA256
5a3cb3433e034c096db086b3d71f46972cf5052641af63c789b57801c076625c

SHA512
21632a672bbc3cca4b476147158de792db940bc9db09aa235f34f0217e02f2a35d3324e0c27333b2ec708b81e506be567b22b6f14fdd7e64b1664028e0269346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
437745ae097498a346458e71e04f9b76

SHA1
501b2fdfcb0454c6c1aeabef0e85878d4be2bb64

SHA256
c638323df8e1b390d1a8d2ff67c8046943ca74e301f05f5da2cdaf9bf0c32437

SHA512
a6815ae47038cfb4a493876ef8085e89b5ddeb627c10628e842b5f51c8c8a507639ad069f2d3c7ddc75b62d2defc5532566729e08dd3ad9959eaf539d1b8485c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
818f9348a8ea0ee2dd372458fa063e67

SHA1
e24173f1a0d189fe9cf73238d76520c2fcbb5c47

SHA256
1d97dc5afee88c2dcf7e598247cbba7878061beb801256fe6eefb65ce3d6faa0

SHA512
be0419de336962c7672ffc623bca0f61c76f504f1697f69c92df9667298cf38a7105065b40d24a2128d6dc474e848d9e5d2deb964775b38526961b6242bb24e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
2153c0823679ca1855d591730d7fb2ac

SHA1
35cf319eaa2e60dae0644fa599262627ad91280a

SHA256
177c62e2c9c0c5759b7724085578a6ab42865af2c832f2c0c4eeace56e93d6b0

SHA512
008d3584935080e0bff4d56b8cba85dc27f94116cfbf1d621c734403af882e5a8e844842e17971dc26aacb3f2d8652922bb7a94ea78df6b04747839a83e211f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
544e8439a49010cfad82c97b9e931118

SHA1
e4c431f00f3eb8199a8a62a3df255a5d06fdd4fd

SHA256
f91a1bb1291b97f2f37f4f21003b1fdf0ba3455ed943850ac785c786a90341c8

SHA512
e983358e6828ec74d8a6d09c622340b8f73a9ab631800b44675369507a751914130ec068b80148fcc89d23744212893e2dca83b94f5b48293e62b445d5bfe66c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
76b24cb69e24f41a6c984e2bd9213993

SHA1
7404f603374c2f04e764fb26260b8a99be27b56a

SHA256
dc4a6925fb63cc417bbba7427feac3d3f112ee4e99ff63cd8a72d68cb0deb2ed

SHA512
1561974cc913e83bb2462a4350177925a285dc9a902a99975bf5d40cbcd85bc2b6a05537606941a0d401623aae10d2a9be595417dc4b41239c2125aef559c5b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
a54189e4601f5cd4f7692b0b5302c4e0

SHA1
c76ae77d201596c2b77d298ce6e983a6520d6496

SHA256
c1d6c96753ea05bb3fd9fd141082a7ab92317f8e83a6593797c12b68b5220051

SHA512
f03cd1a647e9aad265d9970eaf5a1c54c23d589872d65b26db03bdb662dc0eacaed1203bf24660276293cd8521574dd1637b5b79fca5ed8abac1544b62d1fa5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
97e26a4ee43b192d47c2b648d2cd6be0

SHA1
37276bd06f11e0fd1609f27c9fc824aa098ac89d

SHA256
137f0b790603963b2ae2cc3fb7c669fa6e582bdad025bf9338a756fac623ee06

SHA512
b8a3af7ba8c67e107d53023a6f8d56f7eca8b738eeb02e11d0b9fb02c37a00ef12e47ab98cd4fe3a1a5aff9d7d72bf300579230b56484d04865b836e45aa9eae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
fad2d564d0dd12917ac30dd7fd24994b

SHA1
e91ba114bb40f87df70e8db45c165138d5d53b81

SHA256
0688c415a210788f20a997529149c208e1fb4fe2563e7017bd7894075124396e

SHA512
d9e69271982b5125e54a4d1ac9f7d53f0392a034e9d7cbc56c9dbc2808e4fcdf4b482f37240a560f6df92a1f139e72a4d5fc64bf44e411423eecf24a420aeba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
4af7fb4b1a94e6ef217f8483213f3f38

SHA1
6f275cde830ae065595b90ab63bea40b7bfebfe1

SHA256
1850a8481bd1c0ac89cc0715e1c26e7483350c88f7cfcaf417f18fbf17afe70c

SHA512
e3dbbd3e2be137b7fce0cf345a18c9f888bf32804e6886671b36f98d5aee240b6606e89e0a2ecf8c67b4d6283f82f72c330989c74b360dc7484c31a01e7ef2a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
9ae9565178c66ebc36af0be8f6242e4b

SHA1
ff209c67b9f7aa41fd7f6707b18dc0a2c954f637

SHA256
417147d2193a74fef50c73662dcea2f5c207ebf3caa88dedfdb6749daa575dfe

SHA512
f17e32ad798d1ca0fe3ceb8c37fa6d21365be55e4f8bf243c198157ebfe8ac3514d131a4accbdfe7b7106a7cc1de947019389eca8f358328e4c3083d1e201213

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
de31058189d02f6b719f124ec4a789d5

SHA1
d476ad7a638e005ed426558e634167ca3f4ad01c

SHA256
c334616641434cd327d55805cc49557626a16fefd673696a0879c2b053be7f24

SHA512
1d5546c9aae2458519d97461bd927986593f8c1c7c33f25992325547af9c3e8b6e34b2e8735131961cf29e99731a3028d8b3414fdd5c3d8144668c73613204f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\cache\morgue\181\{35eacd24-52f4-45bf-b3ed-42fff3ac50b5}.final
Filesize
64KB

MD5
e1f93f9cc564b5a227aa41b797261cb3

SHA1
98d500996d18d5d63ae3a35a2e81fb78176d691f

SHA256
54cdae72539f281a758826b0d190ad34eaad2829d339e1a2389337d369b1043a

SHA512
ae570fc5a69a7e3bc2f0ec194b3599a07acedf2ed5230581188c7bd7311c7b5a4793b93eaa936e1df3c17d0526efffedf4f5e97098a5cb372c53afa687d04e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\cache\morgue\222\{c25831b6-d0da-4e26-acb1-9c9d2fff88de}.final
Filesize
3KB

MD5
e8e491e1dcc768f86b71aa60b91c7060

SHA1
6fa8482f3c026b84695dcb04a2e44b7ea402ad88

SHA256
6206bbfd1de4d41c6a86bee0b9d00c0ed06704f1fd3b2aced9e2203f54a1637f

SHA512
695324cc4bea3dd482809aa9ca59cdb2628a0462bc6a8d6988a8e683f69580694c9e05d140bd0661e9146a3432550968bd7daeb493da8218dc29a095fb5ccf87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite
Filesize
48KB

MD5
659256863bfcd77193ee411c3fe555ea

SHA1
fb0bdda7a6e4683941ec7507ab50d42c9fa1f201

SHA256
4465ac24e375d0ca8a31e3c93762e8c9a1973c542cf7c054deeba8e724e0c3e9

SHA512
6b8477a402172efb9bdac0689abbc3678bbd035aab2a8f711650b24df40393d4a62407bfbb8ecff177002a450927bca433c490c549efceef8cf8869e3c894aa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal
Filesize
40KB

MD5
382e7c8ad073761c2ee1ebc298c20c6a

SHA1
e1956e1aa7f435c8a23ee27b52ae99c581962bcb

SHA256
80d399e2bc1ecf65728ba7ce58e1f49c32c0cde296e4a8d08f63060ab3e22a9b

SHA512
5dcc3d42d14acf953b1206c49bd604a9bdd3f922ed46c59a6fa40c417d981b8c4c9330c702d5ee59de3f834adb5212fde58336fc35751373b5f878e3c8ddd089

Download Submit
C:\Users\Admin\Downloads\Frankenstein.cuv6FOhT.doc.part
Filesize
4KB

MD5
c5bd3449bbb45b0e84f26d6c5fe13139

SHA1
370ef56095b3c9a41a6a2384c261b4d5c6b13345

SHA256
53b005ad8531395b613c08ba15aca31c3a7f892e425f5c6c8849639d7a19c26a

SHA512
75c8a0a015b6ae8e08226d5a2272820a5fa56288e130d71a6c846bb0652037e246f05495044a7a2eac0615f48e41e4ec53e91b2e2d71d9fa1ac45c2dd33b0cdc

Download Submit
C:\Users\Admin\Downloads\FreeYoutubeDownloader.WB_VgAhE.exe.part
Filesize
10KB

MD5
7abf3f8eb113255f4ed618b151459531

SHA1
b17d541038cdaaef87b69bd0577c393e5a4a8454

SHA256
24579ca9fba1f2fc69d96a699a62008b200a8dfe80a3360f3483a785bf48d5ca

SHA512
7413cd699d4908b28ab8f2bf2bf6aef8135e0908d00b2106054656bf1a57be17a7b45a1cd96f1adadd8a9d665bce08dfd014b49a0018ffe4d437c792158b52d4

Download Submit
C:\Users\Admin\Downloads\IconDance.exe
Filesize
301KB

MD5
7ad8c84dea7bd1e9cbb888734db28961

SHA1
58e047c7abecdd31d4e3c937b0ee89c98ab06c6a

SHA256
a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095

SHA512
d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

Download Submit
C:\Users\Admin\Downloads\LoveYou.exe
Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\lcz_gwg8.bat.part
Filesize
454B

MD5
cb07aeb8b5213f3bb70262b309e343a4

SHA1
8c4461611d43fd2f13bd29f5d126a4c590c9c6c4

SHA256
024253cee01092ff61e1a4f9ed81626a8e86120a9a72eec271985b6f661d1389

SHA512
a7ce1ffdafbc500892dcdadb9651a6e1770e0f9202d72805fa7846a786950329a6b9926dc20f045796ba4b2de3f0ca5fa87c7f98f48fdf5e9217c9f9ed7043a2

Download Submit
C:\Users\Admin\Downloads\~WRD0000.tmp
Filesize
511KB

MD5
5d9ebf53d27e39be7a4694a6b302c159

SHA1
f02a67d2583d2b2698e994564a84029e1175c5c0

SHA256
c326ff25f0fe3fda1167090c7b3f9011f77d9dec2a3d5448050f271515627e26

SHA512
47dc50a8b4912670990755db985e55e3cc6929f203e79ac9743eadc2f1261fa6afde69534c6793b295dc606ef17e54781442162d522a88d239b95ae993d7a7da

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
\Device\NamedPipe\55EA4A7BE6A9318703D3CA7F57EB80756CA7E5CC399E8F1A680A9D6A669C9339F16FC891E09323758EAFC70253B50D4DAB400B0AD43B3C3D7D76075568276CCE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3564-3369-0x000001AE21070000-0x000001AE21071000-memory.dmp

Filesize
4KB

Download
memory/4400-6455-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/4400-6552-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4632-6028-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6029-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6031-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6032-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6043-0x00007FFB67A10000-0x00007FFB67A20000-memory.dmp

Filesize
64KB

Download
memory/4632-6049-0x00007FFB67A10000-0x00007FFB67A20000-memory.dmp

Filesize
64KB

Download
memory/4632-6387-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6030-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6388-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6390-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/4632-6389-0x00007FFB69F30000-0x00007FFB69F40000-memory.dmp

Filesize
64KB

Download
memory/5244-5749-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5656-4202-0x000001DA03F30000-0x000001DA03F31000-memory.dmp

Filesize
4KB

Download
memory/5656-3932-0x000001DA03F30000-0x000001DA03F31000-memory.dmp

Filesize
4KB

Download
memory/6388-5860-0x000001FB59160000-0x000001FB59170000-memory.dmp

Filesize
64KB

Download
memory/6388-5859-0x000001FB59160000-0x000001FB59170000-memory.dmp

Filesize
64KB

Download
memory/6388-5761-0x000001FB59160000-0x000001FB59170000-memory.dmp

Filesize
64KB

Download
memory/6388-5762-0x000001FB59160000-0x000001FB59170000-memory.dmp

Filesize
64KB

Download
memory/6388-5750-0x000001FB3EB80000-0x000001FB3EBAE000-memory.dmp

Filesize
184KB

Download