Analysis
-
max time kernel
301s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 15:10
Static task
static1
Behavioral task
behavioral1
Sample
drweb-1.0-katana.exe
Resource
win10v2004-20230220-en
General
-
Target
drweb-1.0-katana.exe
-
Size
46.8MB
-
MD5
8acc7d1bd885d322e0906c48d66b5eac
-
SHA1
8dec2d7e07fd6eee855fe3d18d24cb81514f323c
-
SHA256
c04f2c02e34da7bed4800b45220f5831dec511da884f738c1e3321c18ef8c516
-
SHA512
32a94a49569e582b12a2a99c8030f01eae213ea11be0b6613e3d79c6f9dc3889c80d27b1fbdeb4edd4849be24c4cbda402026d5556de94090543effa34a3048c
-
SSDEEP
786432:MwtCRQ9ZTbV/sjEKj3STdBoFMDhSLF9MKIxEPT9cFRHRdDHtKC0owR:MmFlV/6EgAcFMhSJGKIxwJcF1RdDNKQg
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
Processes:
drwupsrv.exedrwupsrv.exedrwupsrv.exedescription ioc process File created C:\Windows\system32\drivers\dwsguard32.dll drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwprot.sys drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwsguard32.dll drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwsguard64.dll drwupsrv.exe File created C:\Windows\system32\drivers\dwprot.sys drwupsrv.exe File created C:\Windows\system32\drivers\dwsguard64.dll drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwsguard64.dll drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwsguard32.dll drwupsrv.exe File opened for modification C:\Windows\system32\drivers\dwprot.sys drwupsrv.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
drweb-1.0-katana.exedwservice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\458E361A1AEF68EC\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\F011A117.sys" drweb-1.0-katana.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\46ed3506198c6bf0\ImagePath = "\\??\\C:\\Windows\\TEMP\\1406153fc.sys" dwservice.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
drwupsrv.exekatana-setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation drwupsrv.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation katana-setup.exe -
Executes dropped EXE 11 IoCs
Processes:
katana-setup.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedwservice.exespideragent.exedrwupsrv.exedrwupsrv.exespideragent.exespideragent.exepid process 4832 katana-setup.exe 2556 drwupsrv.exe 4032 drwupsrv.exe 4336 dwservice.exe 448 drwupsrv.exe 2008 dwservice.exe 4528 spideragent.exe 1624 drwupsrv.exe 3688 drwupsrv.exe 1808 spideragent.exe 2340 spideragent.exe -
Loads dropped DLL 2 IoCs
Processes:
dwservice.exepid process 2008 dwservice.exe 2008 dwservice.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
drwupsrv.exedrwupsrv.exedrwupsrv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\"" drwupsrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\"" drwupsrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent = "\"C:\\Program Files\\DrWeb\\spideragent.exe\"" drwupsrv.exe -
Checks for any installed AV software in registry 1 TTPs 43 IoCs
Processes:
spideragent.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedrwupsrv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType spideragent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680542037" drwupsrv.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath drwupsrv.exe Key opened \REGISTRY\MACHINE\Software\Doctor Web\InstalledComponents spideragent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA" drwupsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AVRemoteControl dwservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath = "C:\\Program Files\\DrWeb" drwupsrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService dwservice.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Key opened \Registry\Machine\SOFTWARE\Doctor Web\InstalledComponents dwservice.exe Key opened \REGISTRY\MACHINE\Software\Doctor Web\InstalledComponents dwservice.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion dwservice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0" drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680542010" drwupsrv.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents dwservice.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0" drwupsrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\PreventiveProtection = "1680542008" drwupsrv.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents dwservice.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath drwupsrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680542037" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode = "standalone" drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\DwProt = "1680542014" drwupsrv.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680542035" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\InstallPath = "C:\\Program Files\\DrWeb" drwupsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType dwservice.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\PreventiveProtection = "1680542035" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\RelType = "release" drwupsrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680542013" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductVersion = "1.0" drwupsrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductMode dwservice.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\AvService = "1680542008" drwupsrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents\ProductType = "KATANA" drwupsrv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService\Alias dwservice.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
drwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedescription ioc process File opened for modification \??\PhysicalDrive0 drwupsrv.exe File opened for modification \??\PhysicalDrive0 drwupsrv.exe File opened for modification \??\PhysicalDrive0 drwupsrv.exe File opened for modification \??\PhysicalDrive0 drwupsrv.exe File opened for modification \??\PhysicalDrive0 drwupsrv.exe -
Drops file in Program Files directory 64 IoCs
Processes:
drwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedescription ioc process File created C:\Program Files\DrWeb\zh-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwqrlib64.dll drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\products.xml.newer.cache;3d31d486128750a0bb45cf6460ff1c38dee69cae8093379c522bc651a1523658 drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\revision.xml drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09 drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log drwupsrv.exe File opened for modification C:\Program Files\DrWeb\lang.lst drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ru-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\it-drweb.dwl drwupsrv.exe File created C:\Program Files\DrWeb\pt-drweb.dwl drwupsrv.exe File created C:\Program Files\DrWeb\sk-drweb.dwl drwupsrv.exe File created C:\Program Files\DrWeb\tr-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ccsdk.dll drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\revisions.xml drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\revisions.xml drwupsrv.exe File opened for modification C:\Program Files\DrWeb\spideragent.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\lang.lst drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\revisions.xml drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml.backup drwupsrv.exe File created C:\Program Files\DrWeb\dwqrlib64.dll drwupsrv.exe File created C:\Program Files\DrWeb\en-drweb.chm drwupsrv.exe File created C:\Program Files\DrWeb\en-drweb.chm drwupsrv.exe File opened for modification C:\Program Files\DrWeb\cs-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\cn-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ja-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\cs-drweb.dwl drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\9\20230324160215.xml.cache;77af4634899f3f318d541284b3c0897ceb807e906013dce211d479836b195f8c drwupsrv.exe File opened for modification C:\Program Files\DrWeb\lv-drweb.dwl drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\temp\drwzones.xml drwupsrv.exe File created C:\Program Files\DrWeb\ja-drweb.chm drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09 drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\9\revision.xml drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ru-drweb.chm drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwsysinfo.dll drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\20230324160215.xml.cache;0a278293566d84523d04c0a03d6c8214143465df2e2879774a97634b56a59887 drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\spider-agent\9\20230324160215.xml.cache;9fabfdddac3817f46de1e83949db1a0c7cd16f27a06b49f9d940abf513a82584 drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwservice.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwsysinfo.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\kk-drweb.dwl drwupsrv.exe File created C:\Program Files\DrWeb\de-drweb.chm drwupsrv.exe File opened for modification C:\Program Files\DrWeb\it-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ja-drweb.dwl drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\20230324160215.xml.cache;f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09 drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\common\drwbase.db.lzma drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\9\revision.xml drwupsrv.exe File created C:\Program Files\DrWeb\et-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\drwupsrv.exe drwupsrv.exe File created C:\Program Files\DrWeb\SL150221594.key dwservice.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\repodb.xml drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.log drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\cloud-client\9\revision.xml drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\9\revision.xml drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwservice.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\dwsysinfo.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\uk-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\ru-drweb.dwl drwupsrv.exe File opened for modification C:\Program Files\DrWeb\fr-drweb.dwl drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml.backup drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml drwupsrv.exe File opened for modification C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml drwupsrv.exe File created C:\PROGRA~3\DOCTOR~1\Updater\repo\90\cloud-client\9\20230324160215.xml.cache;b81be98239c162356e7e1bcc8b8d06c54b26f8518a20f88b2436168298553f53 drwupsrv.exe File opened for modification C:\Program Files\DrWeb\drwupsrv.exe drwupsrv.exe File opened for modification C:\Program Files\DrWeb\pl-drweb.dwl drwupsrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
katana-setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 katana-setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz katana-setup.exe -
Processes:
spideragent.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\GPU spideragent.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.3.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" spideragent.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
dwservice.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" dwservice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" dwservice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" dwservice.exe Key created \REGISTRY\USER\.DEFAULT\ dwservice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" dwservice.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
katana-setup.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedrwupsrv.exepid process 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 4832 katana-setup.exe 2556 drwupsrv.exe 2556 drwupsrv.exe 2556 drwupsrv.exe 2556 drwupsrv.exe 4032 drwupsrv.exe 4032 drwupsrv.exe 4032 drwupsrv.exe 4032 drwupsrv.exe 448 drwupsrv.exe 448 drwupsrv.exe 448 drwupsrv.exe 448 drwupsrv.exe 2008 dwservice.exe 1624 drwupsrv.exe 1624 drwupsrv.exe 1624 drwupsrv.exe 1624 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 3688 drwupsrv.exe 4832 katana-setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spideragent.exepid process 1808 spideragent.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
drweb-1.0-katana.exedwservice.exepid process 544 drweb-1.0-katana.exe 648 2008 dwservice.exe 648 648 -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
drweb-1.0-katana.exevssvc.exesrtasks.exedrwupsrv.exedrwupsrv.exedrwupsrv.exedwservice.exedrwupsrv.exedrwupsrv.exespideragent.exekatana-setup.exedescription pid process Token: SeDebugPrivilege 544 drweb-1.0-katana.exe Token: SeLoadDriverPrivilege 544 drweb-1.0-katana.exe Token: SeBackupPrivilege 3188 vssvc.exe Token: SeRestorePrivilege 3188 vssvc.exe Token: SeAuditPrivilege 3188 vssvc.exe Token: SeBackupPrivilege 4384 srtasks.exe Token: SeRestorePrivilege 4384 srtasks.exe Token: SeSecurityPrivilege 4384 srtasks.exe Token: SeTakeOwnershipPrivilege 4384 srtasks.exe Token: SeBackupPrivilege 4384 srtasks.exe Token: SeRestorePrivilege 4384 srtasks.exe Token: SeSecurityPrivilege 4384 srtasks.exe Token: SeTakeOwnershipPrivilege 4384 srtasks.exe Token: SeTakeOwnershipPrivilege 2556 drwupsrv.exe Token: SeSecurityPrivilege 2556 drwupsrv.exe Token: SeBackupPrivilege 2556 drwupsrv.exe Token: SeRestorePrivilege 2556 drwupsrv.exe Token: SeMachineAccountPrivilege 2556 drwupsrv.exe Token: SeTakeOwnershipPrivilege 4032 drwupsrv.exe Token: SeSecurityPrivilege 4032 drwupsrv.exe Token: SeBackupPrivilege 4032 drwupsrv.exe Token: SeRestorePrivilege 4032 drwupsrv.exe Token: SeMachineAccountPrivilege 4032 drwupsrv.exe Token: SeTakeOwnershipPrivilege 448 drwupsrv.exe Token: SeSecurityPrivilege 448 drwupsrv.exe Token: SeBackupPrivilege 448 drwupsrv.exe Token: SeRestorePrivilege 448 drwupsrv.exe Token: SeMachineAccountPrivilege 448 drwupsrv.exe Token: SeDebugPrivilege 2008 dwservice.exe Token: SeTcbPrivilege 2008 dwservice.exe Token: SeLoadDriverPrivilege 2008 dwservice.exe Token: SeTakeOwnershipPrivilege 1624 drwupsrv.exe Token: SeSecurityPrivilege 1624 drwupsrv.exe Token: SeBackupPrivilege 1624 drwupsrv.exe Token: SeRestorePrivilege 1624 drwupsrv.exe Token: SeMachineAccountPrivilege 1624 drwupsrv.exe Token: SeTakeOwnershipPrivilege 3688 drwupsrv.exe Token: SeSecurityPrivilege 3688 drwupsrv.exe Token: SeBackupPrivilege 3688 drwupsrv.exe Token: SeRestorePrivilege 3688 drwupsrv.exe Token: SeMachineAccountPrivilege 3688 drwupsrv.exe Token: SeIncreaseQuotaPrivilege 3688 drwupsrv.exe Token: SeAssignPrimaryTokenPrivilege 3688 drwupsrv.exe Token: SeDebugPrivilege 1808 spideragent.exe Token: SeTcbPrivilege 4832 katana-setup.exe Token: SeIncreaseQuotaPrivilege 4832 katana-setup.exe Token: SeAssignPrimaryTokenPrivilege 4832 katana-setup.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
spideragent.exespideragent.exepid process 4528 spideragent.exe 4528 spideragent.exe 4528 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
spideragent.exespideragent.exepid process 4528 spideragent.exe 4528 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
spideragent.exepid process 1808 spideragent.exe 1808 spideragent.exe 1808 spideragent.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
drweb-1.0-katana.exekatana-setup.exedrwupsrv.exedwservice.exedrwupsrv.exedescription pid process target process PID 544 wrote to memory of 4832 544 drweb-1.0-katana.exe katana-setup.exe PID 544 wrote to memory of 4832 544 drweb-1.0-katana.exe katana-setup.exe PID 544 wrote to memory of 4832 544 drweb-1.0-katana.exe katana-setup.exe PID 4832 wrote to memory of 2556 4832 katana-setup.exe drwupsrv.exe PID 4832 wrote to memory of 2556 4832 katana-setup.exe drwupsrv.exe PID 4832 wrote to memory of 4032 4832 katana-setup.exe drwupsrv.exe PID 4832 wrote to memory of 4032 4832 katana-setup.exe drwupsrv.exe PID 4032 wrote to memory of 4336 4032 drwupsrv.exe dwservice.exe PID 4032 wrote to memory of 4336 4032 drwupsrv.exe dwservice.exe PID 4832 wrote to memory of 448 4832 katana-setup.exe drwupsrv.exe PID 4832 wrote to memory of 448 4832 katana-setup.exe drwupsrv.exe PID 4832 wrote to memory of 4528 4832 katana-setup.exe spideragent.exe PID 4832 wrote to memory of 4528 4832 katana-setup.exe spideragent.exe PID 2008 wrote to memory of 1624 2008 dwservice.exe drwupsrv.exe PID 2008 wrote to memory of 1624 2008 dwservice.exe drwupsrv.exe PID 2008 wrote to memory of 3688 2008 dwservice.exe drwupsrv.exe PID 2008 wrote to memory of 3688 2008 dwservice.exe drwupsrv.exe PID 3688 wrote to memory of 1808 3688 drwupsrv.exe spideragent.exe PID 3688 wrote to memory of 1808 3688 drwupsrv.exe spideragent.exe PID 4832 wrote to memory of 2340 4832 katana-setup.exe spideragent.exe PID 4832 wrote to memory of 2340 4832 katana-setup.exe spideragent.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe"C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exe"C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exe" /distribpath "C:\Users\Admin\AppData\Local\Temp\drweb-1.0-katana.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe"C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe" -c add-product -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" --list "C:\ProgramData\Doctor Web\Updater\repo\90\products.xml" --merge --version=90 --rev=9 -a "C:\Program Files\DrWeb" -v debug3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe"C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe" -r "C:\ProgramData\Doctor Web\Updater\repo" -c install -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" --disable-postupdate --param="distrib_version=1.0.8.06270" --param="en_help_file_name=en-drweb.chm" --param="en_help_lnk_name=Dr.Web Help (English).lnk" --param="estimated_size=108298" --param="install_date=20230403" --param="install_mode" --param="install_source=C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exe" --param="installdir=C:\Program Files\DrWeb" --param="lang=en" --param="path_to_chached_distrib=C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exe" --param="runbysetup" --param="sendStats=1" --param="startmenu_shortcut" --interactive -v debug -l3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DrWeb\dwservice.exe"C:\Program Files\DrWeb\dwservice.exe" --install -o "C:\ProgramData\Doctor Web\Logs\dwservice.log"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe"C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exe" -p "DrWebAgent" -p "Help" -p "KatanaSetup" -p "Updater" -r "C:\ProgramData\Doctor Web\Updater\repo" -c postupdate --param="distrib_version=1.0.8.06270" --param="en_help_file_name=en-drweb.chm" --param="en_help_lnk_name=Dr.Web Help (English).lnk" --param="estimated_size=108298" --param="install_date=20230403" --param="install_mode" --param="install_source=C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exe" --param="installdir=C:\Program Files\DrWeb" --param="lang=en" --param="path_to_chached_distrib=C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exe" --param="runbysetup" --param="sendStats=1" --param="startmenu_shortcut" --interactive -v debug -l3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\DrWeb\spideragent.exe"C:\Program Files\DrWeb\spideragent.exe" -register3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\DrWeb\spideragent.exe"C:\Program Files\DrWeb\spideragent.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\DrWeb\dwservice.exe"C:\Program Files\DrWeb\dwservice.exe" --logfile="C:\ProgramData\Doctor Web\Logs\dwservice.log"1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DrWeb\drwupsrv.exe-c update --progress-to-console --disable-postupdate --dws9 --verbosity=info --protocol=http --type=update-revision --interactive --coutname=4005B26FB25989282⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\DrWeb\drwupsrv.exe-c postupdate --progress-to-console --dws9 --verbosity=info --interactive --coutname=A29CAA8FE3BD06FD2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DrWeb\spideragent.exe"C:\Program Files\DrWeb\spideragent.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\DOCTOR~1\Logs\dwupdater.logFilesize
4KB
MD5d87a839ef3a1009068e7232aa23faab2
SHA1c0c308212159efa4ac8035d4a50125414b6b7baf
SHA2564c218ce789400c312a72b1abd4ccaac2944c0322ceb25ac6aa717ce27db3a854
SHA5123009c2ab9a8094c279ffa1255ec031daa993f081de7405a208f752faa02ad8b1684c80ad336c21d99c138974c935cdf91a84644856b2d42d6bd54237752a4b8f
-
C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xmlFilesize
1KB
MD50e17fc49675047677039ce1841f44f81
SHA15771003715b3cdc28ef4a3ac6141d96e370cca2e
SHA2561913cc1925780f1f35bdd5a0dea559695acea59210820b84f48c0e7a93bec6a8
SHA512593deec5521c69d76ae895a6e54338591ad25df9527971aaebdd22916950ba8eacd25d66cec1a500ed691e7471a5bbef1184e2dce68809c6556f605d70ac800d
-
C:\PROGRA~3\DOCTOR~1\Updater\etc\drwupsrv.xml.backupFilesize
1KB
MD59aec06332bdd83ea5575debe10f3a399
SHA135c2c9378f2c35e775bedb3ae5c9b458a758de22
SHA2569fcb154360cdf54791b41f7be0b5092fccdac034dfc69c7aabcc8a0f2ecc2aa4
SHA51200fdeb3d1ec8635dcdfbe7b65eb5e4a8b1762cf95eaef55076142825229201ce7a0de6eac252504f46c8eafc7397536b33c91ca2eaea00a53340bd4284e17ccd
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\av-service\9\20230324160215.xmlFilesize
2KB
MD58a81ebea162b6e0937d7d8116f1e81e8
SHA1b98c647b030fac5c981999a9cad98ca55262dac8
SHA2560a278293566d84523d04c0a03d6c8214143465df2e2879774a97634b56a59887
SHA512d9f7ac7cdce6a204b32a3612f9339efac0b109aa2f851c9a96e498605486c3dbc61011071c0fa7430fe1b064aaf9e21930e645439a3ab5a37a870649a5b2bc0c
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\cloud-client\9\20230324160215.xmlFilesize
1KB
MD5fd4ab6449fc5c8ca4ab0d44c21027aa1
SHA1d15c9f7df282f2b4f66d50c8ed2e20a6cb70f22e
SHA256b81be98239c162356e7e1bcc8b8d06c54b26f8518a20f88b2436168298553f53
SHA5122e89e71cc233283279fbeff4806627fcc4b10a90308a405d1104eb9de05d2dcc74f54bf32d322c7b595ad7699e0bc5b665420fd9460e5643b3d160b65271c4db
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\comps-revision.xml.newerFilesize
244B
MD54da5b091cd35646447213ceb478e8b7a
SHA1726cb21d838197d2909e238dd1a949d2533acda0
SHA256e499011da0ae158ccaa7d8c645a6e4deaa5640333a0ca8df2723879094e541b2
SHA51254950b4ad7e60eda107b22f9af4716fb4e80c0bf542543fe88ac5367ba41a6a3846af326c47ecbbd644cc05d727ab6436f5ef003ff8301586f836d1d01dbe561
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwl\9\20230324160215.xmlFilesize
5KB
MD542467a148d264fd4d5596a6bcef384f2
SHA178cb787be2cf7e62b5719e8e4d2dbf8e2061c245
SHA256c187d8f35bb8d9ed6858753a164e3527b2bd6d8335fe42dc8d1ba574d8e28e76
SHA5121f15b6f93f50f4801afe467af228e93bd769f612015da66f472fc623590c95cac88adea54e8b979fa07e0b0ba304ef7d3c1cc5acfe9dddac3ec92321c81517ae
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\dwprot\9\20230324160215.xmlFilesize
1KB
MD5379e8dd5683a73a1d3ad8c615e65a482
SHA11e2e27ed0d81f8682041874fb0f1dcaba05110df
SHA2567d7b23e57306db05ae7f73fa5188fe52ec1895b0650510474a366df3e4473fe9
SHA512252d110cc7c6d7d288249d9aba8b54053ec47cfc4df79babf85c6882ee49d859c8ea6c82eb018e256cfa4eef3831c501b29af481e5def0856595ee77e6c47797
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\help\9\20230324160215.xmlFilesize
1KB
MD5fa2f077ceabb181d6ad78b46ca95248e
SHA142d4ac88ac55fc505d5e5530ab9fbcb1ec5f494c
SHA256fbe434512f9155d31c9fa05d9aa941a2024947246ad785f9d68952cffc5ff5b8
SHA5126750a961b87b5468eaf055900eed1c4fba1a4ddec7c70262bfa5dbed6cf144fec67a3325d185a60d94cf0270822054af32a0d81355cb882d70567f41bbc8d0f9
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\katana-setup\9\20230324160215.xmlFilesize
739B
MD5e2fdfeb729badf84ddcf69fe98006ddb
SHA1daffa9bf841815c4845d55e534f503df88219a8f
SHA25677af4634899f3f318d541284b3c0897ceb807e906013dce211d479836b195f8c
SHA512c372e4907326909001d75eac4db9dfea47f8b30f673ed1fad2f180eb875e7c6c4b991ae507e61cde828e178efc3800b61e8f8932c415dc8346c53f2496093999
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\products.xml.newerFilesize
1KB
MD54dc21f25b3050c1453a61396ad8978fd
SHA18d407a7974044da42ef696b6878f15399d2f7395
SHA2563d31d486128750a0bb45cf6460ff1c38dee69cae8093379c522bc651a1523658
SHA5126c809853b0ad11e7bd4d0b264dc2a3132934d80dd25b2b76102e27a4cd26fcf0f966661d65065d0dedb4ab113ef18e7a57f552a3aeaeccff998880eb3504ffcc
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\spider-agent\9\20230324160215.xmlFilesize
1KB
MD5187e05284b7d2426ff91dd51195ddc28
SHA1bb9e18440d14310faefe9dad12b4399859df8192
SHA2569fabfdddac3817f46de1e83949db1a0c7cd16f27a06b49f9d940abf513a82584
SHA512bdfa4f2581eb083b3d34c477e4d4c1fb3e397e6b6c86de665a270c0e26f4e339d74421a5701f9265b7d5bdd912cd4d156ca01f4c0536ffa0ca3b5464906981d2
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\sysinfo\9\20230324160215.xmlFilesize
1KB
MD5392d55d08d9ed17cb0a57e719d24ecf0
SHA183d0522f0ffbf55c5cc9ba938985a8a238394b1e
SHA2565b9ed33350317321eebf0e93f42c6923fa8c636d0ea6afcae11bba0732699a38
SHA51203aa0b4e87ad2e1fbd256ee7aa654e6a37acffc81f7b21c2389fec043de0392c99faffd79a9c5c7ba523dba5303071affe6197aea2c6a9c6e7fc5d44e00c8ea0
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\20230324160215.xmlFilesize
231B
MD5c8231203b7666f23de5d1e38828a6b51
SHA1084aa68c9b2f6736dcadc47ec20fd17707dbe623
SHA256f34daaa80e6458e35fa9e9e242eba356a8c7fc272b0a23029be762a0496bfb09
SHA51216a820145733fc604187a0163e9ade19401fedfc30239cdba962d315c140316ae550df5d335d0259ec2c0766e6eba1c9fd57e13b9c4b89ff0444916f8960ce92
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\90\updater\9\20230324160215.xmlFilesize
1KB
MD53f5f9ac489d540abae172206b5711238
SHA19d224818480c088ec09a6d982f89e6ce63533c9e
SHA256d5e84c5c23124952f7580abba448483f2d63541e2fec6e755e4ca173f5d815fc
SHA512115d7c6fe2870972179a893e8d743438bf742fc1ba88da7136dbed98056a81e1138035260fa5fba35195438ee6ddcdc248deb68443b9bb80561b1e36ce23ad13
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\certificate.xml.newerFilesize
2KB
MD5ace3e703850222a8207441237170fc06
SHA16b43c8f784a14741c85eb18a497335a09deca3c1
SHA25672b75ceedbdad05dc399905f7f5f568017d837712ce11f19787343654b6f6a67
SHA5124e19cca93fe00e94ea5a63436d80be12bd5c3287df89351c105726da5b8eb433f361d70720da2c2bce57dd72215afc298a97a0436441a45c19150f1d92a86996
-
C:\PROGRA~3\DOCTOR~1\Updater\repo\versions.xml.newerFilesize
2KB
MD5f1594843e38325737d63c0e7c25abb5e
SHA15431a608ab08ec63bfc90c800b1edff975c92cfe
SHA256194072f3c25da8b12039affd3a610cacdf506a3263ef69c9c9bb9d2fd69ee356
SHA512da2c93eb5ce1773bb89f2119152ee07e698a239e472edd4b842d45cfc87026a81e3674bfb251a37e550589771b7cc8b855b0c268cb9db2ec7e81bd13d0d78253
-
C:\Program Files\DrWeb\drwupsrv.exeFilesize
7.6MB
MD54a482dc20f7e3f4bd091929014788bfe
SHA18e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc
SHA256f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105
SHA512332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd
-
C:\Program Files\DrWeb\dwservice.exeFilesize
8.5MB
MD5472fd8b43f4de42497a6e16a3f914a19
SHA12f587b11c117d0bdaa9731539b79196a492253e9
SHA2566e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c
SHA51216d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee
-
C:\Program Files\DrWeb\dwservice.exeFilesize
8.5MB
MD5472fd8b43f4de42497a6e16a3f914a19
SHA12f587b11c117d0bdaa9731539b79196a492253e9
SHA2566e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c
SHA51216d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee
-
C:\Program Files\DrWeb\dwservice.exeFilesize
8.5MB
MD5472fd8b43f4de42497a6e16a3f914a19
SHA12f587b11c117d0bdaa9731539b79196a492253e9
SHA2566e60fdcabdfd74274a7e2da62315fba484ef8c587bafbb3c39cdeb741a39b79c
SHA51216d78ea2c306f46ff76cf20a33c60496132c47c08ac838c41305fba95e33741e31e6a83e99a44b2a709ceeaf3675b0565d2c4e6d0d906e2660895eb6d45bd4ee
-
C:\ProgramData\Doctor Web\Logs\setup-starter.logFilesize
2KB
MD511802c24b75ce98899dde5f318d1bcc0
SHA1e889f02100b9247db77e66e2f7d624ef7f87a8b7
SHA256a0f4a5cedb2d708078a690a3f6c68c320b2009ce70224bd23565d572ab024735
SHA512afe11220a08d8902b69fb4535ad4aeaf23eeda00d9e0dc9191ba879510d590b54ef2bf76b6d8a38cc80948576b60c52062329e33dc100ec0d20a0aa5da3fc4cb
-
C:\ProgramData\Doctor Web\Logs\setup-starter.logFilesize
4KB
MD51f905db6961a4b5860058cbdccdb4d36
SHA1eb45757e8b531b3562443afc06d1cb47b4442428
SHA25610c530eeb9e7e9a5db0160a16d376a09868d9abb2cb7576a8e3cd2ae81055ef8
SHA512b3207e095723a18baee9f515a1cd1d4fb98d4e18ee6933bd6c16edf119ebb1bdc39d128003c9b211e6c53070140f664af93fbd076469213148f17221b32c0efd
-
C:\ProgramData\Doctor Web\Logs\win-katana-setup.logFilesize
5KB
MD5df1bd925c96304e2955ce4b33a0d330f
SHA154c5f7955315d016b3b5e846e522d9f692bce90e
SHA2565f873f45cb474c95a5dc31ed1536ac778bf49c456e824b56ff2f32284dc1ada9
SHA5122adf3f131cedc1a3e7b666e8a1da5754d90689f3fbba6bf25b07a66d8b0b9c1b43a90918fac8b2429ac79c1071080019afa5cbab620577b7cfa2479bfc4b4caf
-
C:\ProgramData\Doctor Web\Setup\drweb-katana\katana-setup.exeFilesize
7.9MB
MD5e5cac0467169d34fcee3c86595c570bc
SHA1ba851755bee82c83d412f162250717d23732bf5d
SHA256c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17
SHA5120b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\common\drwbase.db.lzmaFilesize
4.8MB
MD504e49ede35e457e11d3b75fad058b9b0
SHA15ec2dfd7c9ed83f172acbd2ae1577583ee750b04
SHA2568f3fc74ea6ce6781717b0eb0a2048dc2ec3e729b5ba3d77c3eda673c32510f67
SHA5125f9c35eb2870a74b2664c6958f2e73abdae6110e0b09b3e32296fb42d86e61bf9009af4a65ddf5236b6081e5854f6cbc66991c1d629d5f41518a279c25143fb1
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\revision.xmlFilesize
2KB
MD54c7958537dacacf53935846adb90e2de
SHA1ea3ced9f7d7be90cd37435d0b892e7a66c91bbb4
SHA256316335e1dc5c503ec0671afa2ef916186121b874c149e5a2586eaab8e7ab7cab
SHA51230bd0fc6e669610bbea4c90952955f7d8e78c906dc248ebb68728ee82a319e2f2d9ad2d9376f3b583da2ec6486eaff2d804b77b2f82732442618de4dc61036ce
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\script.lua.lzmaFilesize
1KB
MD5251851e2cffafd713c350af83cd2dad2
SHA16d25bf1c365ddbcf3b0fe08785e4d26341adea52
SHA256ec76aecaf2ea2948ab0da21ef5f197a6128609c6c5ae596963a1b65c7b4b2b8a
SHA512cfd2e8d8742f1f4ee4824ee1b3f5e93860d18b054e5cf10161fda247d451f5536cb60bac1e2dc6bf70a0aba3c3c22f18fc48dfd453fe8776ca2492302ec375c2
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwarkapi.dll.lzmaFilesize
1.3MB
MD52f2998d350ac2d30639ec0831b976a98
SHA1dc75444492ab6f35839122cd0124ea9f359f443c
SHA25608cb6e60d1cd86f8b24dc95c6a744dcb5dc42029467bead2a4401d9fe80dc8c0
SHA512d76457e8d79f27f6bfcae6c78dd44cde6da49cdd3651667f01a7925a650c9f01ba5338b229a91cdb8fb0f11dcccbd45d6ca3e744f6fd2985ba1920405d1c6c50
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwqrlib64.dll.lzmaFilesize
278KB
MD59f507e343805a31ae6674ee83fef3347
SHA1185b4c5de86a0c5dfc9824f38b8e47e53a700ba2
SHA2565cb4c0086a33c78c48682324f3d6b0d2cf45e041523cbf060ad5985f0d396f82
SHA5128d91cdd4fc76dbfa5ad454ad5ca2703807f600893bb51c16f596d951b9838669a94a4fef4d77e2d53b7c88fa997f7d41a65c4f3bb49324627a5cabfe88350d51
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\9\x64\win\nt\common\dwservice.exe.lzmaFilesize
2.4MB
MD566bed6484dcf70cc2acaae1681242e16
SHA101d41eae0b7f241a9236ef8c02572e606f7f9df4
SHA256ca79420d01dbe74540967fe6f31d5a49c280d3341256585089ee3fa0cfadbcfd
SHA512e6fa6a952b9455043c2711b122bb17305283f084b9d57033691e948999d065f87c6633812aef0dee37a01ca2e8e319f2908538778df3f0de11d7430ee54d61d7
-
C:\ProgramData\Doctor Web\Updater\repo\90\av-service\revisions.xmlFilesize
236B
MD5eb955f8e7973e0c8b2c2859bc58145df
SHA1acf3cda0d9cb9ba4e072d847df17f0bcdbd61f76
SHA256b9228f0cf7a0dec93d9f5b7ff3c2dbb878ed36447b5e089c4109b8dc2535599c
SHA51229f3a7a993ad9a2dad2e423a5a8ef24b3eecd1b02b76650fd98f665f451e2cf2c15f52ee45212da3f3e4eb52bb0876d25756c297d4af75d97d1710044058e5da
-
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\revision.xmlFilesize
1KB
MD59174569271957bcb6bbc57b2253715d7
SHA122b8a437886de85ddbc78820f32355b5c2963d31
SHA256754788b592c2dcc4cd9aba4afdd9071ea81765101e92ed770bff62e0cc452b08
SHA51293a9698ae71fca7efd56d5fba2695dbd0fefb2f9737cf214f6314e43550bd267e81b503c1b49ffffa30c9e9d060068994fd6c43d5d591797a632fea2a0150a91
-
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\script.lua.lzmaFilesize
462B
MD53844830e44f7997d0475f43b90d8c010
SHA18995fb30c3a70064ba0125120cfd3ac4c80aabf8
SHA256203b5f3d3ef0efac1a46b96869e198f909bc8b9ad35d46c0e45c0514135c3b66
SHA512576ac483a30b2d02cd20002e0382811a73ed59d743c9c84cc1f461a580594678f754aa13fb19f3e9d7975128e803eda6d30fcde599ebf9c0c8b481cb30a0f050
-
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\9\x64\win\nt\common\ccsdk.dll.lzmaFilesize
2.6MB
MD520d0ad5657a1c0a393b16af430ad2685
SHA195190b1b2993a82a6ca39d2c72d894eb0d0afd90
SHA2564f4934cfd84cebc345d90bb25a6ca3aa83861c20b9be2ca780b6c1edf9b9a388
SHA512f434b120572ec2b7902968a941708f1e79dff72e08a7bedc0f2ad8cc1d30e60065871f483e48c56b1ebe2a4f5223509e0563cee4fd4b4e901b46e45df2af9e80
-
C:\ProgramData\Doctor Web\Updater\repo\90\cloud-client\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\comps-revision.xmlFilesize
249B
MD5297e7df4a2bf24e7f4cdc7c735e4b925
SHA14d787d644e6c261a6a33128fb95886a567e9713b
SHA25671c4225140b5bf75f6cbd7b7f0c55ebbb7aa0e4b88a48dd518a28ac66bd4005b
SHA512380c3c1e5d702549fb921f4871cd0e4c50d5e7928f4d9972ea257604cb74e695ebe9a9e7ece81e7500a44db2b3adadc122dbb9ed0a07dfb56d94c7b6059d6a4e
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\cs-drweb.dwl.lzmaFilesize
41KB
MD57ab5da4f1361653fd93a846e603aff0c
SHA18a47bd5b45dbec060b0ebf1e1115f38f93dd274a
SHA25696523040f9aacad60581d6fdf49f00c568b8eec0472a946374ade7f51a2d6eae
SHA512d6b57275245020b4401ac478724dae8a36785d8aec8537f145e85cdd9c67e466de5053a7f68d3528600d7b1f0414b9837fedd29f3ec9e715e54a2ff0db1ed937
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\de-drweb.dwl.lzmaFilesize
41KB
MD5049e8ffb93161e38eb21f1f42f9c6689
SHA1505179f88e0d5f5bd05a70ac5acb49a9b44d42d3
SHA256aad3fdf032f9269b45f024431a180040e08823fe285a4a60d20f0bdcc071ab09
SHA512279104e6c445e53487bf0b5552bbed42a9bb8facdd49fdf79fb0db9e20c4de2ef08150b7640a3e46bc7dd6f460448f26d77b0838808b49e6a15192ab5419bfa9
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\it-drweb.dwl.lzmaFilesize
38KB
MD5e9b12908bfda71373c316eb3bcbb270c
SHA161fcb136b2e89be78f392a112274cf0a0f045939
SHA256ad2eb5bc3329343b22fadf8a8d6325d715bbc37d7f0d9058b6f2155f2f7ed59d
SHA51220dab4284398da4efc469b88c7ca0b08719cb79891b24ea6d1415d1f730b63c701e4b47d17f05b28320e46ee5dd76a6b66391b1a4bf4502b24f85551bd325a33
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\ja-drweb.dwl.lzmaFilesize
47KB
MD5ca20808eaeeee62c728bbe4e65ea5a1b
SHA15bbdf87693b35a5d408394827ba6d5157424e8cb
SHA256d4d988aeacd96083f6a37fe0ae41096ee9ed018bb64ff358246863311f44482d
SHA5124bab4c1a0cf16f47065167efd47375454cb6e22ab043f4cc5b155158abc5060e6b4554f467312dc906891e91e5ee32c0965dd392ce4a20914785da5626dd369d
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\common\pt-drweb.dwl.lzmaFilesize
39KB
MD590616d30696476221f827b710a0178d0
SHA10c9cc78f4b48cba5264f04911f1ac4c201140e34
SHA256c2eed04088a85b931f9f51eb8692036fd12609e9fa420366feef13e2b2c0cbd3
SHA512548fd70e171ebc321ca2a48ee74033107e6511e50452782658f632696a64a0b97d294d0e0e99a314460bfdf5a0d017f4644616f5f1416c623b16755fc13fe714
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\revision.xmlFilesize
5KB
MD5f9525237ba6d6768afe0f49508d725a0
SHA1479018a939018de59a65e73f8e6ea9156fd9b0fc
SHA256e4a98b1b58dd2476df3decd3872e11c72648f5aff479abbf216054529b69a5d1
SHA5124149fe8c3b56dd32ab0304c8ac0c2f1ed76c439f803dec6cbfd7cf60e88e4549fdbcbda385c8b29aa5f51ba8acdccf75b01ae6323209de5c73f6ff0fec04bb85
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\9\script.lua.lzmaFilesize
524B
MD5a2337f03bd68392d866278b3c31d4578
SHA12f312047e6b534fadd02fbed65234a20eb9f3096
SHA256e2bd01b3bb541aade542bbe4fd85f454031eb76ebff0f9088cce49a601be02f5
SHA512c5845f5e67926caecaad671f787eec439cdfc60d15c400c2895e59575ff7b99bbfd9df28472cc89b09edaf32ca0bd4ac05b71fa2a00fd2ef0e64834f06bbf518
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwl\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\common\dwsguard32.dll.lzmaFilesize
69KB
MD57306308d379202292d0f6cd12c3fd501
SHA116bc9271a1a6f1ec9437a0f72bd0b49835b9a721
SHA256bbe8f592f577e4e3e36137bcd3cce6522dc7d9b800debf72d5779cb851a61fcf
SHA5123a24572c7c402e5ce6706a1389398d297bba4c84654cb97f76c406f8def3f8ec3e0b7ae58cb1e6b5a8a72e9e6439fb13defc5c8e608dc92ace26024bbee10883
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\revision.xmlFilesize
1KB
MD517f394f09e47410f6beff11570e0e68e
SHA11e223237b79faef92a76b4d90e06ed082ba38875
SHA256a21a077311fe36f2490d6a407ada86fa8da918ec3d3cc548585d3641390c31b7
SHA5121cd63e62e976eded5e65a656af4074352076f8f16ddfe3e5395929f4176fe3f376d1dc180d142ed4708bfc6d363ce2f14f53f2c31e5af0d134b847f4251b8410
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\script.lua.lzmaFilesize
2KB
MD55bceb7e4567223617b59edacf9a51d95
SHA18753a6f6b1606eb5a181009b48b69eb9745be7d1
SHA25655a8a2193306d222d4e230a92fdb5f642aba66c8bf37909d2861caa878ad9905
SHA5126254789e245b6ef97d667981b2488376536c740b12760a1282e528ce5745f4714791e554549f24ddd902bdcc644c2ec9ab39ef8cd7c24541e850867ff51a207c
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\x64\win\nt\common\dwprot.sys.lzmaFilesize
249KB
MD5eb9b4dd4de1923c64e523ef7d4deaff0
SHA19d2f387690ac7ecd696071f904e1839ec353485f
SHA256301c83754752ab38d213cd83922f798db8b580b1968fc7f4d5e4f303ce8e3290
SHA5126f7c4f1532792399d6178f8ffc5be770f0b3a796392f0a3770586b5ec1cc9f44866957add93e7f01224edb755fe9a628b8543db9b76a6d809ca822bdbcb0f98f
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\9\x64\win\nt\common\dwsguard64.dll.lzmaFilesize
83KB
MD5aeee8038de6631da6b5d74c751ce5d4e
SHA1e30e11a1ce2550a5ea03e308724e5e927474cf48
SHA2560710ca69286a8e58070b49f3bdeb2593d3ea8d50b77e42110d44d2e8498f8cbd
SHA512c1344e70720c58b1246e998bd1eda248f855c48b424911ed24d7b9347d4ba618fe19e9a0673b9c710bc029bb3d5bd6e3352883c9dda4ba60b0a44a030d68d85c
-
C:\ProgramData\Doctor Web\Updater\repo\90\dwprot\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\de-drweb.chm.lzmaFilesize
113KB
MD5a9c728370fc0efbe9b036289ec46e638
SHA10d0ba07e4a3d1b5526b1adbcc0c0ae1e626a1876
SHA256bafe80fe795454946a437f63235418fdf7add845a57146df885aa559ffccfd60
SHA51202ea7eb83acfbf535eeffe3b23d45e733ba6d69eb3c043c0f998b20eaacd69c7fde976f8728f07be6fafea9e66189b21f7fb5ebe8dcad0606c255a41851e839d
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\en-drweb.chm.lzmaFilesize
106KB
MD55aeb18f494e844129a31aa58a2d16411
SHA18e6f07eb0bb304eee7cc66ed1300ad40a3bee6b4
SHA25632e701c7f8ff4fe1f3f7b7a58998d94c845ebadb76e86ffa9ad3d7f010868a7d
SHA512e0e883fb92e98fdd3eda7f47335af347cda8d17c51c324b72e3eecf3f53f851d120c413a641263297ac5876fe8bf131ff5de03aae85e9ee81f60db07478e9a76
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\fr-drweb.chm.lzmaFilesize
112KB
MD5c5f885d811f30d09727c2922eacfd835
SHA157277ce545d97046cf34f2187b6264b70571f589
SHA256ebe63a58351ebe7bc54a00d0aa006ea2a91623399af2ba77a30d386ad10af503
SHA512482ce180ba27be240980e0e56b23ed4d91bd74dbffc14e1e116d2ca3e9c4726bd65fb383d088b98b75dc22d9e5f366302f2c99733d444aafb0aaba593dae25cc
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\ja-drweb.chm.lzmaFilesize
116KB
MD548f186ac9d1e943cfdb70edaff45ba85
SHA18212996939676398c0d5f86ce00022ef156c6698
SHA256f3f70514490166c6aa2fa32823502048f7bef193d1d5a841395699c6c5d2d775
SHA512eeddb95ad6f2434d180b294b158d35f0032a4507cd4fbd2c94e1586ab590aba15603241d6a90282f72123369db50e36a9c4766bdc5f841d78505228dfd28e709
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\common\ru-drweb.chm.lzmaFilesize
174KB
MD538381d7cc99a4934ce54943be1d9a090
SHA1273b6c27de75d3d8a90c9743c3587f8efe7c95fc
SHA256bc18a275e1089cdda1088b7f10a3856d4294c4bd4cd8e85b87f2302cbc75bf09
SHA512a7bd5e09d2efd7d2712a1998da785cf1d8d9ff16054b3f0db91da6e741fd7b70b5b70a4405680691c01bbbedb912181fcb8c92a7ae59a63e56d19a1fb4f905f5
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\revision.xmlFilesize
1KB
MD5db70ee1d85a8792c2eaa7a26f9c8f74b
SHA13c2c280f04cb92d5cad31b1f2991d70f8cf0958f
SHA256fd9bb67dd7c49518211e6f97ce1058cb15635ea78a4eda9696415dc619b0d570
SHA5125d54043e1e0f0662144857067e32bdc01f89f4a31c76b708efb61ff648271e01ee9edb1393a6c00250d6dfc74cebc83f4388b817b353577b69244fe803c49bda
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\9\script.lua.lzmaFilesize
987B
MD59892203958ffec466d49e599d4612daa
SHA14be64e0be737b3ae7451192cd3faca74cd254918
SHA25681ada52a848442e2259f2ea630a927a456ba334d056a0e5a6aa40c5850f2e71c
SHA5126ee75cef3ab66e0eabbde458d0f852833fff08c224ab51857efe2280c5c6573233900f797bef96d65fbabf169f7a9129c30243de5693e507f06cb85d3947ad80
-
C:\ProgramData\Doctor Web\Updater\repo\90\help\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\common\katana-setup.exe.lzmaFilesize
2.4MB
MD584ce3ff29082706bb985b0ed5a5d6c0d
SHA1d3b89d48b2b4ac1f78286328cc707a66a73da048
SHA256eeb559d9ee1bc38efdfb882d02dbfda0bd8c81ad3e5f8533458dd0cdd3025726
SHA51253c34c0f073ac9fc386a7e33d3ec13d85315068a3105c9ed498cd5e0409193cb0f5360c61363051b5617f87494cc32a520c8bf6734bb64b77e476e432124d23b
-
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\revision.xmlFilesize
749B
MD53e3d2d191716d04d3acabcb52afce16e
SHA1c865b5b22487c4ac3f6540764cfd2be317a78ac4
SHA2569697c2039359875346bfe503169bc3081820da10f0e2e2e12a1be7e53995b451
SHA5126f5f079dbbd5edb176bc41771b6ca6adf7123c1bfdacacb0f424583b5d84b981bdbba858af29f87af1f0403960c4e1ca584012e13406e454b3f1a123d449b033
-
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\9\script.lua.lzmaFilesize
1KB
MD5cc82c852b9bb831ff47c1ac673a59bd3
SHA13f07e3776b8672459b9e21eeb36ea9218ea176e0
SHA25665ff492ea8ce1ed95f4e39d997c004d079f1d3c1e355e9c4749eef691d303d87
SHA512ab0ecba04f4bd8c5b88eb178d7a73c0733059087aacfb9223efa816084cb4ddeb836d1e3a4e7244cef684c1f9d2b58a844dcccae55aa5af1d2d0bac7749d2737
-
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\katana-setup\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\products.xmlFilesize
1KB
MD5a44d5904c1d013c49e4bdae057a6f2ca
SHA174cfdbb9bc23778c510b6617fb85efd967b6c103
SHA256142768c942112ba3e7d8fbf09c5012e6a1923ab300051b5851eeb188dc34dcf4
SHA5125ee3ad5fab8853fe4f3b953dc8625c1211eb5f9e3a0a08d800d9387f24f96886ebc9b6d3f776e0279bb59a0a47054948208272b4b744433f1171e3c6a30b8f53
-
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\revision.xmlFilesize
1KB
MD57e09f13dc000df42b18a28610b31eace
SHA1129951474df5f303571d778aae66ef82aca796b1
SHA2564def0fd7533b6ceb7ed7389c01bbf6628d0b763fcbb590aa6d7cdcfabef8473a
SHA512fa262dedd923e25517112fe9b0625947ae224ef712aed985d477e60406dbd56a2b6413d5c30b1aa6c775ba3e7f789b01d75f346197cf16ff0f453776743cf1b2
-
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\script.lua.lzmaFilesize
1KB
MD573a8d2036bf1f133310889ff7ef4c400
SHA1a326342810f2c9195a0f0c20efb5c9d8f1eea717
SHA25628325275358d650c048450595faa28c264b68931b57ac4f42d0367e81bcec468
SHA51279703fcc983e93bc7d3081de6562815c10b2b4b8b3d43e06f15ac04e00b8f40164770a75cfef5d43bf262d7e254ab4a69085ae7376a469ce62e4a0c3653185a4
-
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\9\x64\win\nt\common\spideragent.exe.lzmaFilesize
3.8MB
MD5051bc19824463b6301c43e010fa0e79b
SHA19a9f8116e09d52fdc9b09f72a9ca3f0b69f1b181
SHA2568f42bf770c2c3dcb7b300adddea87d4cd2050b8951f77ef8fb7108879fddeb2b
SHA512f090777b7b5e2f9359caab390874e90ad495787ac1d8ff21f42be1c866cbfd5e686c0fdf12375438edc1ba400115586c1d22bcdef6fe0ec073deb5a6244914b4
-
C:\ProgramData\Doctor Web\Updater\repo\90\spider-agent\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\common\dwsysinfo.exe.lzmaFilesize
12.4MB
MD5478b78446479dc7a6ea70465e7b48a50
SHA109974a76f17f726c2d11d57ae6fb91999d0ce554
SHA2567644c8644d579d60e7ae7f88e588642c503d2855ed8f8b8a3e9da32a403ef53b
SHA51244e2bf2e51c34ac5eb52c0372e65884cd9d9097432d685a7e7d6146dcd405cc56dd83208f399b5db1fa48e8dab13986a346683debf2bb6aeea8f1c848fa8f81b
-
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\revision.xmlFilesize
1KB
MD5369180c022bfb83cac82ec902c360498
SHA1c7b58c8e2ae03e3eeaffece6d61b3861280e0601
SHA25656eca5cf64e80f1384f2d18d7091199b223a77f2cf7c4fdcdc8c30586b78a947
SHA512d96df43341a550505116916a9af424d4ed7c56c995126dc84742abdc25cac5e931a5464adca28f1adcefd50e5fd4fa21aa8b8200a4568c4737ca7af40d2c63ac
-
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\script.lua.lzmaFilesize
331B
MD5e860629b8db2db14867b7761337ee4c8
SHA11d975b5875e49928ee2ff50a17e39d60ae5d9b30
SHA256295a5f0ea20b99d3d0f744a9f177136fb23ea05e6d5e29cfdcde50c20b816afe
SHA51280525369fdfff035aa81e7e6d964092567735e58a44f10061ca6dd29bf768b54eae23b38cfbd4c91bdb1538f61523b556e5be959556dd2092c844647266e70d2
-
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\9\x64\win\nt\common\dwsysinfo.dll.lzmaFilesize
261KB
MD5f2609cbd505504dfb6de4e2d6c55d9de
SHA1c93d479292457bbc5f35bf02fa347c2b2fd357ba
SHA256ed02f519afa2998ebbf06b64799d180407320d1ff94abff0bd8bbe63405960b9
SHA512114493922e5fb6127c322abbd428a865b3a8045846ce05659f521d43ac61ca1278e53327209f60bf8665f2f4889d5ffdc187fa77ae455bcbd0a21c9b9ca9161e
-
C:\ProgramData\Doctor Web\Updater\repo\90\sysinfo\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\common\drwzones.xml.lzmaFilesize
359B
MD5ef6c6fa2c710eac4563ec5b33d0f6e47
SHA14b8fe71b9e6b3de74a1ef5e287f60b726300e4d5
SHA256f8eeb75bf35e589df864c887f36246e2e05229edaab2ac64e0d59645dbce0161
SHA5124e9e452b0c5bd06df2a7cfdbb21e9497bf9ebf166a0b1e55925c847cc0c4bf3969b0f21f5bfea4a74fc76617c4127fb6fd73fe40f844b6f76fe7838dc21b06a6
-
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\revision.xmlFilesize
1KB
MD52d8a6cdb81c8756f29308b7e8edcc9ca
SHA1654342565c1f7c4b308a3b3e368a641fb7dd3f6d
SHA256d5404c911ac49519a255592a8f6105e0740198a534ebe0e193d78deec5df93cf
SHA5129b42a858823d9c3298edde8d83490f228ac53c92e5635d49bb7c447550ce2b5c5ced09741049e90fceb9b21a0e0c0ab47fabd2075716c24e4443fb8efa4579bf
-
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\script.lua.lzmaFilesize
1KB
MD5fa4f4a433dd5241b76e10bab3fc1ea00
SHA1788152473abaa7241f25de7bf41d90ec0dda2ea8
SHA2568c2ee7791ebe61aad9b7f2e0acd6ab0994706bda616fdfb64c9f60399576cbb9
SHA51201a321832ce6fdea61ad95c1ab8ff9a678325dbf60b1bb61db6ef4ce887c6b28457e20fc0e6e03441d14b62cf101ce09a4ff26c139ac4dd39cbf74f04e8fc0ec
-
C:\ProgramData\Doctor Web\Updater\repo\90\updater\9\x64\win\nt\common\drwupsrv.exe.lzmaFilesize
2.0MB
MD5b9fb552d405e69612dc00712246fe16d
SHA138625b1379d89e807a015abbdd622f19df8dfe01
SHA256a588302c2a397d473f93fefd69499291d12e5bd2a2aa781efecb6abca7eee73b
SHA5122721b49d57b7b15e582a281196c22722be03eb7ae6a19a33ff9a829efd080dd2a3b1bd0b4184d4025c2fe51aef31bf6ce3865ae855c53f35e431b463f81ff0d4
-
C:\ProgramData\Doctor Web\Updater\repo\90\updater\revisions.xmlFilesize
236B
MD52e9b7ede7e063715f978750d1b0943fd
SHA1e5221f216f3595f2d2f9485d137eebcc076ddc13
SHA256e52718d956f14bdb18cdc9c26fa95e3b4e6786aa01291dcf0de7c5df61c87217
SHA5121d0a2692dde54a282a965a7090d8291962578771d213184efa7aa412da87b4e3def50538e474fb38eafb696c0c73de4aecf2f65221f0caef63804b3410df143d
-
C:\ProgramData\Doctor Web\Updater\repo\script.lua.lzmaFilesize
9KB
MD5c5cd9bf0fdeba147c85075cd981d61e1
SHA171222d789cf86dfbf728e76e42acf168a4e5cad1
SHA25656c06faa87d9064eabb6ca89e5f8f1025c689d8adf025235d670b739d5c770cd
SHA5122905108fd109a09bf34bb94d1fbdda02af6ef23a5c627f36247f8b2e119fe73dbaa0f4ea121015cd77d68096cca097f8d700b295740af1ff9dedf94b0ffc4621
-
C:\ProgramData\Doctor Web\Updater\repo\versions.xmlFilesize
2KB
MD5674965d7142de890e2c0cc241cb43734
SHA1908ea8e7022ec596e40acdd7767e3c5f590ea273
SHA256b2ac1c67067b71890d2b74e9c6583fbf02f43e6a7e990972bae14a8231bf6f8c
SHA512585f8a7ff8b55f2011d3208eb40fb14ca4ac39254e7e6c34f95f01c77106f6e124abca44d02897ba94ac74d055d40210357da1ac515f7672a5ad0231c27b2634
-
C:\ProgramData\Doctor Web\certcache\authroot.stlFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exeFilesize
7.6MB
MD54a482dc20f7e3f4bd091929014788bfe
SHA18e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc
SHA256f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105
SHA512332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exeFilesize
7.6MB
MD54a482dc20f7e3f4bd091929014788bfe
SHA18e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc
SHA256f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105
SHA512332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\drwupsrv.exeFilesize
7.6MB
MD54a482dc20f7e3f4bd091929014788bfe
SHA18e9014d89b3e9b433b7c38cf7b2aec77efe3d3dc
SHA256f817e511bb03d33e15f96935774fb35c1b8d368abe81eca50944086275338105
SHA512332fd24d9a20789f4e35a5167a0f9f446c480c69b47b6295c3c78eabe1e46c9cbda64a4024e95b2ac4a46ded1a11cf854d719a497a3f25e72df91d8e45b048fd
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exeFilesize
7.9MB
MD5e5cac0467169d34fcee3c86595c570bc
SHA1ba851755bee82c83d412f162250717d23732bf5d
SHA256c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17
SHA5120b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266
-
C:\Users\Admin\AppData\Local\Temp\33D2F114-6619DD6A-3C1EFD66-C094200D\katana-setup.exeFilesize
7.9MB
MD5e5cac0467169d34fcee3c86595c570bc
SHA1ba851755bee82c83d412f162250717d23732bf5d
SHA256c2d6af0faa19f65e9df16d761a892a50c3736bb4563a2981e1e69e1da2739d17
SHA5120b483a88c78d1da2b2f9ada572e7a7d8be287a02f7da2646f5d8dbfffea48cdea2dd661864bc87de29939f65543ef2bb52fa092b614bfd23802daf2d872f7266
-
\Device\NamedPipe\55EA4A7BE6A9318703D3CA7F57EB80756CA7E5CC399E8F1A680A9D6A669C9339F16FC891E09323758EAFC70253B50D4DAB400B0AD43B3C3D7D76075568276CCEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1808-2047-0x0000024E6E8D0000-0x0000024E6E8D1000-memory.dmpFilesize
4KB
-
memory/1808-2123-0x0000024E6E8D0000-0x0000024E6E8D1000-memory.dmpFilesize
4KB
-
memory/1808-2144-0x00000256792A0000-0x0000025679757000-memory.dmpFilesize
4.7MB
-
memory/1808-2148-0x00000256792A0000-0x0000025679757000-memory.dmpFilesize
4.7MB
-
memory/4528-1553-0x00000285DC8C0000-0x00000285DC8C1000-memory.dmpFilesize
4KB
-
memory/4528-1550-0x00000285DC8C0000-0x00000285DC8C1000-memory.dmpFilesize
4KB