FOR USERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.MulDrop14.2974

Added to the Dr.Web virus database: 2020-10-14

Virus description added:

Technical Information

Malicious functions
Executes the following
  • '<SYSTEM32>\net.exe' stop WLMS
Modifies file system
Creates the following files
  • %TEMP%\mpaggk\mpaggk.cmd
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-ppdlic.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-nonslp-1-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-nonslp-1-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-nonslp-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-nonslp-1-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-dm-1-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-dm-1-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-dm-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-oem-dm-1-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\defaultppd-enterprises-ppdlic.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\defaultppd-csvlk-pack-ppdlic.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-1-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-9-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-9-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-8-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-8-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-8-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-8-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-7-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-7-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-7-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-7-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-6-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-9-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\legacy\spc-generic-public.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-1-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-mak-1-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-mak-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-mak-1-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-gvlk-1-ul-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-gvlk-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-6-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-6-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-6-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-6-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-5-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-5-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-5-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-5-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-4-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-4-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-4-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-4-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-3-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-3-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-3-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-3-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-2-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-2-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-2-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-2-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-6-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-9-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-6-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-6-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-5-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\x64\psexec.exe
  • %TEMP%\mpaggk\spp\tokens\legacy\client-issuance-spc.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\legacy\client-issuance-rac.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\issuance\client-issuance-wgalic.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\issuance\client-issuance-ul.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\issuance\client-issuance-ul-oob.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\issuance\client-issuance-stil.xrm-ms
  • %TEMP%\mpaggk\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.xrm-ms
  • %TEMP%\mpaggk\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms
  • %TEMP%\mpaggk\x64\x64_win.cmd
  • %TEMP%\mpaggk\x64\superuser.exe
  • %TEMP%\mpaggk\x64\slc.dll
  • %TEMP%\mpaggk\x64\hideexec.exe
  • %TEMP%\mpaggk\spp\tokens\legacy\rac-generic-public.xrm-ms
  • %TEMP%\mpaggk\x64\helevate.exe
  • %TEMP%\mpaggk\x64\gatherosstate.exe
  • %TEMP%\mpaggk\x64\clipup.exe
  • %TEMP%\mpaggk\x32\x32_win.cmd
  • %TEMP%\mpaggk\x32\superuser.exe
  • %TEMP%\mpaggk\x32\slc.dll
  • %TEMP%\mpaggk\x32\psexec.exe
  • %TEMP%\mpaggk\x32\hideexec.exe
  • %TEMP%\mpaggk\x32\helevate.exe
  • %TEMP%\mpaggk\x32\gatherosstate.exe
  • %TEMP%\mpaggk\x32\clipup.exe
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-mak-1-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\enterprises\enterprises-volume-csvlk-1-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\legacy\spc-generic-private.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\pkeyconfig\pkeyconfig-downlevel.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\legacy\rac-generic-private.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-5-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-5-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-5-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-4-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-4-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-4-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-4-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-3-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-3-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-3-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-3-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-2-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-2-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-2-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-2-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-1-ul-store-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-1-ul-phn-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-1-ul-oob-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-volume-csvlk-1-pl-rtm.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\skus\csvlk-pack\csvlk-pack-ppdlic.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\rules\ruleset-windowsapp.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\rules\ruleset-platformglobal.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\rules\ruleset-filteractions.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms
  • %TEMP%\mpaggk\spp\tokens\pkeyconfig\pkeyconfig-csvlk.xrm-ms
  • nul
Miscellaneous
Creates and executes the following
  • '%TEMP%\mpaggk\x64\hideexec.exe' "%TEMP%\MPAGGK\MPAGGK.cmd" win 3QP4N-RC9JQ-XD9MD-7Q647-HXQB9
  • '%TEMP%\mpaggk\x64\superuser.exe' /w /c "%TEMP%\MPAGGK\x64\HideExec.exe" "<SYSTEM32>\SC.exe" config WLMS start= disabled
  • '%TEMP%\mpaggk\x64\superuser.exe' /w /c "%TEMP%\MPAGGK\x64\HideExec.exe" "<SYSTEM32>\SC.exe" delete WLMS
  • '%TEMP%\mpaggk\x64\superuser.exe' /w /c "%TEMP%\MPAGGK\x64\HideExec.exe" "<SYSTEM32>\SC.exe" config ClipSvc start= demand
  • '%TEMP%\mpaggk\x64\superuser.exe' /w /c "%TEMP%\MPAGGK\x64\HideExec.exe" "<SYSTEM32>\SC.exe" config SppSvc start= delayed-auto
  • '%TEMP%\mpaggk\x64\hideexec.exe' "%TEMP%\MPAGGK\MPAGGK.cmd" win 43TBQ-NH92J-XKTM7-KT3KK-P39PB
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 3QP4N-RC9JQ-XD9MD-7Q647-HXQB9"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 3QP4N-RC9JQ-XD9MD-7Q647-HXQB9"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 43TBQ-NH92J-XKTM7-KT3KK-P39PB"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 43TBQ-NH92J-XKTM7-KT3KK-P39PB"' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 3QP4N-RC9JQ-XD9MD-7Q647-HXQB9"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-2-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-1-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-1-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-1-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-ppdlic.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-NONSLP-1-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-NONSLP-1-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-NONSLP-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-NONSLP-1-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-DM-1-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-DM-1-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-2-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-DM-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\DefaultPpd-EnterpriseS-ppdlic.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\DefaultPpd-csvlk-pack-ppdlic.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-9-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-9-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-9-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-9-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-7-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-7-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-OEM-DM-1-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-6-ul-oob-rtm.xrm-ms"
  • '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 43TBQ-NH92J-XKTM7-KT3KK-P39PB"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-3-pl-rtm.xrm-ms"
  • '<SYSTEM32>\reg.exe' Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber"
  • '<SYSTEM32>\find.exe' "REG_DWORD"
  • '<SYSTEM32>\cmd.exe' /S /D /c" Call "<SYSTEM32>\Reg.exe" Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber""
  • '<SYSTEM32>\cmd.exe' /c Call "<SYSTEM32>\Reg.exe" Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentMajorVersionNumber"|"<SYSTEM32>\Find.exe" "REG_DWORD"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ipk "3QP4N-RC9JQ-XD9MD-7Q647-HXQB9"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-MAK-1-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-MAK-1-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-MAK-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-MAK-1-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-GVLK-1-ul-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-GVLK-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-6-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-7-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-6-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-6-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-5-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-5-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-5-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-5-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-4-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-4-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-4-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-4-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-3-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-3-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-3-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-2-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\EnterpriseS\EnterpriseS-Volume-CSVLK-2-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-7-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\pkeyconfig\pkeyconfig-downlevel.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\spc-generic-private.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\rac-generic-public.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\rac-generic-private.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\client-issuance-spc.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\client-issuance-rac.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\issuance\client-issuance-wgalic.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\issuance\client-issuance-ul.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\issuance\client-issuance-ul-oob.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\issuance\client-issuance-stil.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /rilc
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\legacy\spc-generic-public.xrm-ms"
  • '<SYSTEM32>\net1.exe' stop WLMS
  • '<SYSTEM32>\find.exe' "REG_SZ"
  • '<SYSTEM32>\cmd.exe' /S /D /c" Call "<SYSTEM32>\Reg.exe" Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion""
  • '<SYSTEM32>\cmd.exe' /c Call "<SYSTEM32>\Reg.exe" Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"|"<SYSTEM32>\Find.exe" "REG_SZ"
  • '<SYSTEM32>\reg.exe' Query "HKU\S-1-5-19\Environment" /v "TEMP"
  • '<SYSTEM32>\find.exe' "REG_EXPAND_SZ"
  • '<SYSTEM32>\cmd.exe' /S /D /c" Call "<SYSTEM32>\Reg.exe" Query "HKU\S-1-5-19\Environment" /v "TEMP""
  • '<SYSTEM32>\cmd.exe' /c Call "<SYSTEM32>\Reg.exe" Query "HKU\S-1-5-19\Environment" /v "TEMP"|"<SYSTEM32>\Find.exe" "REG_EXPAND_SZ"
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 3QP4N-RC9JQ-XD9MD-7Q647-HXQB9"
  • '%WINDIR%\syswow64\reg.exe' Query "HKU\S-1-5-19\Environment" /v "TEMP"
  • '%WINDIR%\syswow64\find.exe' "REG_EXPAND_SZ"
  • '%WINDIR%\syswow64\cmd.exe' /S /D /c" Call "<SYSTEM32>\Reg.exe" Query "HKU\S-1-5-19\Environment" /v "TEMP""
  • '%WINDIR%\syswow64\cmd.exe' /c Call "<SYSTEM32>\Reg.exe" Query "HKU\S-1-5-19\Environment" /v "TEMP"|"<SYSTEM32>\Find.exe" "REG_EXPAND_SZ"
  • '<SYSTEM32>\reg.exe' Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentVersion"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-6-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-6-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-6-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-4-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-4-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-4-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-4-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-6-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-2-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-2-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-2-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-2-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-1-ul-store-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-1-ul-phn-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-1-ul-oob-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-1-pl-rtm.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\skus\csvlk-pack\csvlk-pack-ppdlic.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\rules\ruleset-windowsapp.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\rules\ruleset-platformglobal.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\rules\ruleset-filteractions.xrm-ms"
  • '<SYSTEM32>\cscript.exe' //NoLogo "<SYSTEM32>\slmgr.vbs" /ilc "%TEMP%\MPAGGK\spp\tokens\pkeyconfig\pkeyconfig-csvlk.xrm-ms"
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\MPAGGK\MPAGGK.cmd" win 43TBQ-NH92J-XKTM7-KT3KK-P39PB"

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is a Russian cybersecurity company focused on threat detection, prevention and response technologies.