用户服务中心

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

CN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Close
服务
扫描仪
Dr.Web vxCube
试用
病毒知识库
知识库

技术

术语

教育培训

误区

新闻

Trojan.Siggen31.63831

Added to the Dr.Web virus database: 2025-10-17

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • <SYSTEM32>\tasks\drive
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\','%APPDATA%','%LOCALAPPDATA%\Temp','C:\Program Files','%WINDIR%','%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
Searches for windows to
detect analytical utilities:
  • ClassName: 'RegmonClass', WindowName: ''
  • ClassName: 'FilemonClass', WindowName: ''
  • ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
  • ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
  • ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
  • %TEMP%\_mei26402\vcruntime140.dll
  • %TEMP%\_mei26402\_bz2.pyd
  • %TEMP%\_mei26402\_ctypes.pyd
  • %TEMP%\_mei26402\_hashlib.pyd
  • %TEMP%\_mei26402\_lzma.pyd
  • %TEMP%\_mei26402\_queue.pyd
  • %TEMP%\_mei26402\_socket.pyd
  • %TEMP%\_mei26402\_ssl.pyd
  • %TEMP%\_mei26402\base_library.zip
  • %TEMP%\_mei26402\certifi\cacert.pem
  • %TEMP%\_mei26402\charset_normalizer\md.cp38-win_amd64.pyd
  • %TEMP%\_mei26402\charset_normalizer\md__mypyc.cp38-win_amd64.pyd
  • %TEMP%\_mei26402\libcrypto-1_1.dll
  • %TEMP%\_mei26402\libffi-7.dll
  • %TEMP%\_mei26402\libssl-1_1.dll
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.core.dll
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.winforms.dll
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.wpf.dll
  • %TEMP%\_mei26402\payload\monaco\editor_1624ded314374931.html
  • %TEMP%\_mei26402\payload\monaco\combined.html
  • %TEMP%\_mei26402\payload\monaco\fileaccess\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\accepts\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\accepts\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\array-flatten\array-flatten.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\array-flatten\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\read.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\json.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\raw.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\text.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\urlencoded.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\bytes\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\bytes\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\callbound.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-disposition\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-disposition\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-type\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-type\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie-signature\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie-signature\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\debug.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\node.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\define-data-property\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\define-data-property\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\depd\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\depd\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\destroy\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\destroy\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ee-first\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ee-first\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\encodeurl\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\encodeurl\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-define-property\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-define-property\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\eval.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\range.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\ref.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\syntax.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\type.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\uri.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\escape-html\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\escape-html\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\etag\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\etag\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\application.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\express.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\middleware\init.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\middleware\query.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\request.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\response.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\layer.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\route.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\utils.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\view.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\finalhandler\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\finalhandler\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\forwarded\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\forwarded\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\fresh\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\fresh\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\implementation.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\get-intrinsic\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\get-intrinsic\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\gopd\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\gopd\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-property-descriptors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-property-descriptors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-proto\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-proto\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\shams.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\hasown\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\hasown\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\http-errors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\http-errors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\dbcs-codec.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\dbcs-data.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\internal.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-codec.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-data-generated.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-data.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\utf16.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\utf7.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\bom-handling.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\extend-node.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\streams.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\inherits\inherits.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\inherits\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ipaddr.js\lib\ipaddr.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ipaddr.js\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\media-typer\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\media-typer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\merge-descriptors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\merge-descriptors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\methods\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\methods\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\db.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-types\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-types\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\mime.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\types.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ms\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ms\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\charset.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\encoding.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\language.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\mediatype.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\util.inspect.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\on-finished\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\on-finished\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\parseurl\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\parseurl\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\path-to-regexp\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\path-to-regexp\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\proxy-addr\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\proxy-addr\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\formats.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\parse.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\stringify.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\utils.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\range-parser\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\range-parser\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\raw-body\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\raw-body\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safe-buffer\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safe-buffer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safer-buffer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safer-buffer\safer.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\node_modules\ms\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\node_modules\ms\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\serve-static\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\serve-static\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\set-function-length\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\set-function-length\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\setprototypeof\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\setprototypeof\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\side-channel\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\side-channel\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\codes.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\toidentifier\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\toidentifier\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\type-is\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\type-is\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\unpipe\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\unpipe\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\utils-merge\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\utils-merge\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\vary\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\vary\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\package.json
  • %TEMP%\_mei26402\payload\monaco\index.html
  • %TEMP%\_mei26402\payload\monaco\vs\basic-languages\lua\lua.js
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.css
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.js
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.nls.js
  • %TEMP%\_mei26402\payload\monaco\vs\loader.js
  • %TEMP%\_mei26402\payload\newtonsoft.json.dll
  • %TEMP%\_mei26402\payload\solarav3.dll
  • %TEMP%\_mei26402\payload\webview2loader.dll
  • %TEMP%\_mei26402\payload\wpf.ui.dll
  • %TEMP%\_mei26402\payload\bin\alga
  • %TEMP%\_mei26402\payload\bin\dlctbl_frts
  • %TEMP%\_mei26402\payload\bin\version.txt
  • %TEMP%\_mei26402\payload\drive.exe
  • %TEMP%\_mei26402\payload\install.exe
  • %TEMP%\_mei26402\payload\vcruntime140.dll
  • %TEMP%\_mei26402\payload\zlib.dll
  • %TEMP%\_mei26402\payload\zlib1.dll
  • %TEMP%\_mei26402\python38.dll
  • %TEMP%\_mei26402\select.pyd
  • %TEMP%\_mei26402\unicodedata.pyd
  • nul
  • C:\solaratab\script #0.lua
  • %TEMP%\zlp55lxo
  • %TEMP%\drive.exe
  • %TEMP%\_mei3802\vcruntime140.dll
  • %TEMP%\_mei3802\_bz2.pyd
  • %TEMP%\_mei3802\_ctypes.pyd
  • %TEMP%\_mei3802\_hashlib.pyd
  • %TEMP%\_mei3802\_lzma.pyd
  • %TEMP%\_mei3802\_queue.pyd
  • %TEMP%\_mei3802\_socket.pyd
  • %TEMP%\_mei3802\_ssl.pyd
  • %TEMP%\_mei3802\base_library.zip
  • %TEMP%\_mei3802\certifi\cacert.pem
  • %TEMP%\_mei3802\charset_normalizer\md.cp38-win_amd64.pyd
  • %TEMP%\_mei3802\charset_normalizer\md__mypyc.cp38-win_amd64.pyd
  • %TEMP%\_mei3802\libcrypto-1_1.dll
  • %TEMP%\_mei3802\libffi-7.dll
  • %TEMP%\_mei3802\libssl-1_1.dll
  • %TEMP%\_mei3802\python38.dll
  • %TEMP%\_mei3802\select.pyd
  • %TEMP%\_mei3802\unicodedata.pyd
Deletes following files that it created itself
  • %TEMP%\zlp55lxo
  • %TEMP%\_mei26402\base_library.zip
  • %TEMP%\_mei26402\certifi\cacert.pem
  • %TEMP%\_mei26402\charset_normalizer\md.cp38-win_amd64.pyd
  • %TEMP%\_mei26402\charset_normalizer\md__mypyc.cp38-win_amd64.pyd
  • %TEMP%\_mei26402\libcrypto-1_1.dll
  • %TEMP%\_mei26402\libffi-7.dll
  • %TEMP%\_mei26402\libssl-1_1.dll
  • %TEMP%\_mei26402\payload\bin\alga
  • %TEMP%\_mei26402\payload\bin\dlctbl_frts
  • %TEMP%\_mei26402\payload\bin\version.txt
  • %TEMP%\_mei26402\payload\drive.exe
  • %TEMP%\_mei26402\payload\install.exe
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.core.dll
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.winforms.dll
  • %TEMP%\_mei26402\payload\microsoft.web.webview2.wpf.dll
  • %TEMP%\_mei26402\payload\monaco\combined.html
  • %TEMP%\_mei26402\payload\monaco\editor_1624ded314374931.html
  • %TEMP%\_mei26402\payload\monaco\fileaccess\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\accepts\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\accepts\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\array-flatten\array-flatten.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\array-flatten\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\read.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\json.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\raw.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\text.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\lib\types\urlencoded.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\body-parser\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\bytes\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\bytes\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\callbound.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\call-bind\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-disposition\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-disposition\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-type\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\content-type\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie-signature\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\cookie-signature\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\debug.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\debug\src\node.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\define-data-property\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\define-data-property\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\depd\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\depd\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\destroy\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\destroy\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ee-first\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ee-first\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\encodeurl\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\encodeurl\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-define-property\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-define-property\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\eval.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\range.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\ref.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\syntax.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\type.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\es-errors\uri.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\escape-html\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\escape-html\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\etag\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\etag\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\application.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\express.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\middleware\init.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\middleware\query.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\request.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\response.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\layer.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\router\route.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\utils.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\lib\view.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\express\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\finalhandler\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\finalhandler\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\forwarded\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\forwarded\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\fresh\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\fresh\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\implementation.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\function-bind\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\get-intrinsic\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\get-intrinsic\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\gopd\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\gopd\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-property-descriptors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-property-descriptors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-proto\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-proto\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\has-symbols\shams.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\hasown\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\hasown\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\http-errors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\http-errors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\dbcs-codec.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\dbcs-data.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\internal.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-codec.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-data-generated.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\sbcs-data.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\utf16.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\encodings\utf7.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\bom-handling.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\extend-node.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\lib\streams.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\iconv-lite\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\inherits\inherits.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\inherits\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ipaddr.js\lib\ipaddr.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ipaddr.js\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\media-typer\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\media-typer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\merge-descriptors\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\merge-descriptors\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\methods\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\methods\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\mime.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime\types.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\db.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-db\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-types\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\mime-types\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ms\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\ms\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\charset.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\encoding.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\language.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\lib\mediatype.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\negotiator\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\object-inspect\util.inspect.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\on-finished\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\on-finished\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\parseurl\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\parseurl\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\path-to-regexp\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\path-to-regexp\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\proxy-addr\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\proxy-addr\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\formats.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\parse.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\stringify.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\lib\utils.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\qs\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\range-parser\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\range-parser\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\raw-body\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\raw-body\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safe-buffer\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safe-buffer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safer-buffer\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\safer-buffer\safer.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\node_modules\ms\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\node_modules\ms\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\send\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\serve-static\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\serve-static\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\set-function-length\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\set-function-length\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\setprototypeof\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\setprototypeof\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\side-channel\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\side-channel\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\codes.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\statuses\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\toidentifier\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\toidentifier\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\type-is\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\type-is\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\unpipe\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\unpipe\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\utils-merge\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\utils-merge\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\vary\index.js
  • %TEMP%\_mei26402\payload\monaco\fileaccess\node_modules\vary\package.json
  • %TEMP%\_mei26402\payload\monaco\fileaccess\package.json
  • %TEMP%\_mei26402\payload\monaco\index.html
  • %TEMP%\_mei26402\payload\monaco\vs\basic-languages\lua\lua.js
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.css
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.js
  • %TEMP%\_mei26402\payload\monaco\vs\editor\editor.main.nls.js
  • %TEMP%\_mei26402\payload\monaco\vs\loader.js
  • %TEMP%\_mei26402\payload\newtonsoft.json.dll
  • %TEMP%\_mei26402\payload\solarav3.dll
  • %TEMP%\_mei26402\payload\vcruntime140.dll
  • %TEMP%\_mei26402\payload\webview2loader.dll
  • %TEMP%\_mei26402\payload\wpf.ui.dll
  • %TEMP%\_mei26402\payload\zlib.dll
  • %TEMP%\_mei26402\payload\zlib1.dll
  • %TEMP%\_mei26402\python38.dll
  • %TEMP%\_mei26402\select.pyd
  • %TEMP%\_mei26402\unicodedata.pyd
  • %TEMP%\_mei26402\vcruntime140.dll
  • %TEMP%\_mei26402\_bz2.pyd
  • %TEMP%\_mei26402\_ctypes.pyd
  • %TEMP%\_mei26402\_hashlib.pyd
  • %TEMP%\_mei26402\_lzma.pyd
  • %TEMP%\_mei26402\_queue.pyd
  • %TEMP%\_mei26402\_socket.pyd
  • %TEMP%\_mei26402\_ssl.pyd
Network activity
Connects to
  • 'ge###lara.dev':443
  • 'cl######ttings.roblox.com':443
  • '1.#.1.1':53
TCP
Other
  • 'ge###lara.dev':443
  • 'cl######ttings.roblox.com':443
UDP
  • DNS ASK ge###lara.dev
  • DNS ASK cl######ttings.roblox.com
Miscellaneous
Searches for the following windows
  • ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
  • ClassName: '18467-41' WindowName: ''
Creates and executes the following
  • '%TEMP%\_mei26402\payload\install.exe'
  • '%TEMP%\drive.exe'
Restarts the analyzed sample
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "AntiVirusDisableNotify" /t REG_DWORD /d 1 /f"
  • '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "AntiVirusDisableNotify" /t REG_DWORD /d 1 /f
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "FirewallDisableNotify" /t REG_DWORD /d 1 /f"
  • '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "FirewallDisableNotify" /t REG_DWORD /d 1 /f
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "UpdatesDisableNotify" /t REG_DWORD /d 1 /f"
  • '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "UpdatesDisableNotify" /t REG_DWORD /d 1 /f
  • '<SYSTEM32>\cmd.exe' /c "powershell Add-MpPreference -ExclusionPath 'C:\','%APPDATA%','%LOCALAPPDATA%\Temp','C:\Program Files','%WINDIR%','%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup'"
  • '<SYSTEM32>\schtasks.exe' /Delete /TN drive /F
  • '<SYSTEM32>\cmd.exe' /c "schtasks /Create /SC ONLOGON /TN drive /TR \"%TEMP%\drive.exe\" /RL HIGHEST /F"
  • '<SYSTEM32>\schtasks.exe' /Create /SC ONLOGON /TN drive /TR \"%TEMP%\drive.exe\" /RL HIGHEST /F
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "AntiVirusDisableNotify" /t REG_DWORD /d 1 /f"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "FirewallDisableNotify" /t REG_DWORD /d 1 /f"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Security Center" /v "UpdatesDisableNotify" /t REG_DWORD /d 1 /f"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "powershell Add-MpPreference -ExclusionPath 'C:\','%APPDATA%','%LOCALAPPDATA%\Temp','C:\Program Files','%WINDIR%','%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup'"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "schtasks /Create /SC ONLOGON /TN drive /TR \"%TEMP%\drive.exe\" /RL HIGHEST /F"' (with hidden window)

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play
Wechat