ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話

03-6550-8770

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話

03-6550-8770

Profile

JP

RU CN EN ES FR IT JP KZ UZ BY ID
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.Siggen31.57473

Added to the Dr.Web virus database: 2025-09-20

Virus description added:

Technical Information

To ensure autorun and distribution
Sets the following service settings
  • [HKLM\SYSTEM\CurrentControlSet\Services\winlogbeat] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\winlogbeat] 'ImagePath' = '"%ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.exe" --environment=windows_service -c "%ProgramFiles(x86)%\winlogbeat-8.13.4...
  • [HKLM\SYSTEM\CurrentControlSet\Services\Sysmon64] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Sysmon64] 'ImagePath' = '%WINDIR%\Sysmon64.exe'
  • [HKLM\SYSTEM\CurrentControlSet\Services\WbWinMon] 'Start' = '00000000'
  • [HKLM\SYSTEM\CurrentControlSet\Services\WbWinMon] 'ImagePath' = 'WbWinMon.sys'
Creates the following services
  • 'winlogbeat' %ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.exe" --environment=windows_service -c "%ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.yml" --path.home "%ProgramFiles(x86)%\winlogbeat-8.13.4"...
  • 'Sysmon64' %WINDIR%\Sysmon64.exe
  • 'WbWinMon' %WINDIR%\WbWinMon.sys
Modifies file system
Creates the following files
  • %TEMP%\rarsfx0\kibana\7\dashboard\01c54730-fee6-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\035846a0-a249-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\71f720f0-ff18-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\bae11b00-9bfc-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\bb858830-f412-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\d401ef40-a7d5-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\f49f3170-9ffc-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\dashboard\winlogbeat-dashboard-ecs.json
  • %TEMP%\rarsfx0\kibana\7\search\06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json
  • %TEMP%\rarsfx0\kibana\7\search\11a61760-9f27-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\search\324686c0-fefb-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\search\6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json
  • %TEMP%\rarsfx0\kibana\7\search\757510b0-a87f-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\search\7e178c80-fee1-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\search\9066d5b0-fef2-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\search\ce71c9a0-a25e-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\006d75f0-9c03-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\0622da40-9bfd-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\0f2f5280-feeb-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\117f5a30-9b71-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\162d7ab0-a7d6-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\175a5760-a7d5-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\18348f30-a24d-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\1b5f17d0-feea-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\1b6725f0-ff1d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\1f271bc0-231a-11ea-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\2084e300-a884-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\21aadac0-9c0b-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\25f31ee0-9c23-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\26877510-9b72-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\33462600-9b47-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\400b63e0-f49a-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\421f0610-af98-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\4b683ac0-a7d7-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\4bedf650-9ffd-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\546febc0-f49b-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\568a8130-bcde-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\58fb9480-9b46-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5bb93ed0-a249-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5c9ee410-9b74-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5d117970-9ffd-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5e19ff80-231c-11ea-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\5eeaafd0-fee7-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\60301890-ff1d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\6f0f2ea0-f414-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\70751050-9f33-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\729443b0-a7d6-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\7322f9f0-ff1c-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\78874900-9f30-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\7a329a00-a7d5-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\804dd400-a248-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\84502430-bce8-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\860706a0-9bfd-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json
  • %TEMP%\rarsfx0\kibana\7\visualization\8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\97c70300-ff1c-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\98884120-f49d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\9dd22440-ff1d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\9e534190-f49d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\a13bf640-fee8-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\a3c3f350-9b6d-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\a5f664c0-f49a-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\a79395f0-6aba-11ea-896f-0d70f7ec3956.json
  • %TEMP%\rarsfx0\kibana\7\visualization\a909b930-685f-11ea-896f-0d70f7ec3956.json
  • %TEMP%\rarsfx0\kibana\7\visualization\aa31c9d0-9b75-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\abd44840-9c0f-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\b5f38780-fee6-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\b89b0c90-9b41-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\bb9cf7a0-f49d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\bc165210-f4b8-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\bf45dc50-ff1a-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\c2ea73f0-a4bd-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\c9d959f0-ff1d-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\caf4d2b0-9b76-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\ce867840-f49e-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\d27dea70-9f32-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\d3a5fec0-ff18-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\d770b040-9b35-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\e20c02d0-9b48-11ea-87e4-49f31ec44891.json
  • %TEMP%\rarsfx0\kibana\7\visualization\e22c6f40-f498-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\e2516c10-a249-11e9-a422-d144027429da.json
  • %TEMP%\rarsfx0\kibana\7\visualization\e64ff750-9f28-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %TEMP%\rarsfx0\kibana\7\visualization\ee292bc0-f499-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\event-levels-ecs.json
  • %TEMP%\rarsfx0\kibana\7\visualization\f42f3b20-fee6-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json
  • %TEMP%\rarsfx0\kibana\7\visualization\fa876300-231a-11ea-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %TEMP%\rarsfx0\kibana\7\visualization\fee83900-f49f-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\ffebe440-f419-11e9-8405-516218e3d268.json
  • %TEMP%\rarsfx0\kibana\7\visualization\number-of-events-ecs.json
  • %TEMP%\rarsfx0\kibana\7\visualization\number-of-events-over-time-by-event-log-ecs.json
  • %TEMP%\rarsfx0\kibana\7\visualization\sources-ecs.json
  • %TEMP%\rarsfx0\kibana\7\visualization\top-event-ids-ecs.json
  • %TEMP%\rarsfx0\module\.gitignore
  • %TEMP%\rarsfx0\module\powershell\config\winlogbeat-powershell.js
  • %TEMP%\rarsfx0\module\powershell\ingest\powershell.yml
  • %TEMP%\rarsfx0\module\powershell\ingest\powershell_operational.yml
  • %TEMP%\rarsfx0\module\routing\ingest\routing.yml
  • %TEMP%\rarsfx0\module\security\config\winlogbeat-security.js
  • %TEMP%\rarsfx0\module\security\dashboards.yml
  • %TEMP%\rarsfx0\module\security\ingest\security.yml
  • %TEMP%\rarsfx0\module\sysmon\config\winlogbeat-sysmon.js
  • %TEMP%\rarsfx0\module\sysmon\ingest\sysmon.yml
  • %TEMP%\rarsfx0\.build_hash.txt
  • %TEMP%\rarsfx0\delete
  • %TEMP%\rarsfx0\fields.yml
  • %TEMP%\rarsfx0\license.txt
  • %TEMP%\rarsfx0\notice.txt
  • %TEMP%\rarsfx0\qc
  • %TEMP%\rarsfx0\query
  • %TEMP%\rarsfx0\readme.md
  • %TEMP%\rarsfx0\remove
  • %TEMP%\rarsfx0\start
  • %TEMP%\rarsfx0\status
  • %TEMP%\rarsfx0\stop
  • %TEMP%\rarsfx0\sysmon.exe
  • %TEMP%\rarsfx0\sysmon64.exe
  • %TEMP%\rarsfx0\sysmon64a.exe
  • %TEMP%\rarsfx0\winlogbeat.exe
  • %TEMP%\rarsfx0\winlogbeat.yml
  • %TEMP%\rarsfx0\config_latest.xml
  • %TEMP%\rarsfx0\re_install_winlogbeat_sysmon.exe
  • %TEMP%\__psscriptpolicytest_s1ev1512.yng.ps1
  • %TEMP%\__psscriptpolicytest_p0y3r0lz.fhk.psm1
  • %TEMP%\content\4336-764-re_install_winlogbeat_sysmon.exe-11-24-32-237.dump
  • %TEMP%\content\4336-764-re_install_winlogbeat_sysmon.exe-11-24-33-148.dump
  • %TEMP%\content\4336-764-re_install_winlogbeat_sysmon.exe-11-24-33-163.dump
  • %TEMP%\content\4336-764-re_install_winlogbeat_sysmon.exe-11-24-33-186.dump
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\01c54730-fee6-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\035846a0-a249-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\71f720f0-ff18-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\bae11b00-9bfc-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\bb858830-f412-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\d401ef40-a7d5-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\f49f3170-9ffc-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\dashboard\winlogbeat-dashboard-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\11a61760-9f27-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\324686c0-fefb-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\757510b0-a87f-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\7e178c80-fee1-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\9066d5b0-fef2-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\search\ce71c9a0-a25e-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\006d75f0-9c03-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\0622da40-9bfd-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\0f2f5280-feeb-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\117f5a30-9b71-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\162d7ab0-a7d6-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\175a5760-a7d5-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\18348f30-a24d-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\1b5f17d0-feea-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\1b6725f0-ff1d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\1f271bc0-231a-11ea-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\2084e300-a884-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\21aadac0-9c0b-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\25f31ee0-9c23-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\26877510-9b72-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\33462600-9b47-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\400b63e0-f49a-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\421f0610-af98-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\4b683ac0-a7d7-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\4bedf650-9ffd-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\546febc0-f49b-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\568a8130-bcde-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\58fb9480-9b46-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5bb93ed0-a249-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5c9ee410-9b74-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5d117970-9ffd-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5e19ff80-231c-11ea-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\5eeaafd0-fee7-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\60301890-ff1d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\6f0f2ea0-f414-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\70751050-9f33-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\729443b0-a7d6-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\7322f9f0-ff1c-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\78874900-9f30-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\7a329a00-a7d5-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\804dd400-a248-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\84502430-bce8-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\860706a0-9bfd-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\97c70300-ff1c-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\98884120-f49d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\9dd22440-ff1d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\9e534190-f49d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\a13bf640-fee8-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\a3c3f350-9b6d-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\a5f664c0-f49a-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\a79395f0-6aba-11ea-896f-0d70f7ec3956.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\a909b930-685f-11ea-896f-0d70f7ec3956.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\aa31c9d0-9b75-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\abd44840-9c0f-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\b5f38780-fee6-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\b89b0c90-9b41-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\bb9cf7a0-f49d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\bc165210-f4b8-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\bf45dc50-ff1a-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\c2ea73f0-a4bd-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\c9d959f0-ff1d-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\caf4d2b0-9b76-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\ce867840-f49e-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\d27dea70-9f32-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\d3a5fec0-ff18-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\d770b040-9b35-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\e20c02d0-9b48-11ea-87e4-49f31ec44891.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\e22c6f40-f498-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\e2516c10-a249-11e9-a422-d144027429da.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\e64ff750-9f28-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\ee292bc0-f499-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\event-levels-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\f42f3b20-fee6-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\fa876300-231a-11ea-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\fee83900-f49f-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\ffebe440-f419-11e9-8405-516218e3d268.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\number-of-events-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\number-of-events-over-time-by-event-log-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\sources-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\kibana\7\visualization\top-event-ids-ecs.json
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\.gitignore
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\powershell\config\winlogbeat-powershell.js
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\powershell\ingest\powershell.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\powershell\ingest\powershell_operational.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\routing\ingest\routing.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\security\dashboards.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\security\config\winlogbeat-security.js
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\security\ingest\security.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\sysmon\config\winlogbeat-sysmon.js
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\module\sysmon\ingest\sysmon.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\.build_hash.txt
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\config_latest.xml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\delete
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\fields.yml
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\license.txt
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\notice.txt
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\qc
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\query
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\readme.md
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\remove
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\re_install_winlogbeat_sysmon.exe
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\start
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\status
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\stop
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\sysmon.exe
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\sysmon64.exe
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\sysmon64a.exe
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.exe
  • %ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.yml
  • %WINDIR%\sysmon64.exe
  • %TEMP%\mancd24.tmp
  • %TEMP%\mancefa.tmp
  • %WINDIR%\wbwinmon.sys
  • %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\re_install_winlogbeat_sysmon.exe.log
  • %ALLUSERSPROFILE%\winlogbeat\logs\winlogbeat-20250920.ndjson
  • %ALLUSERSPROFILE%\winlogbeat\meta.json.new
  • %ALLUSERSPROFILE%\winlogbeat\.winlogbeat.yml.new
Moves the following files
  • from %ALLUSERSPROFILE%\winlogbeat\meta.json.new to %ALLUSERSPROFILE%\winlogbeat\meta.json
  • from %ALLUSERSPROFILE%\winlogbeat\.winlogbeat.yml.new to %ALLUSERSPROFILE%\winlogbeat\.winlogbeat.yml
Modifies the HOSTS file.
Network activity
Connects to
  • 'localhost':8200
  • '18#.#2.200.156':5103
TCP
HTTP GET requests
UDP
  • DNS ASK 17#.###.#32.199.in-addr.arpa
  • DNS ASK 23#.###.210.23.in-addr.arpa
Miscellaneous
Searches for the following windows
  • ClassName: 'EDIT' WindowName: ''
Creates and executes the following
  • '%TEMP%\rarsfx0\re_install_winlogbeat_sysmon.exe'
  • '%ProgramFiles(x86)%\winlogbeat-8.13.4\sysmon64.exe' -accepteula -i config_latest.xml
  • '%WINDIR%\sysmon64.exe' -nologo -accepteula -m
  • '%WINDIR%\sysmon64.exe'
  • '%ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.exe' --environment=windows_service -c "%ProgramFiles(x86)%\winlogbeat-8.13.4\winlogbeat.yml" --path.home "%ProgramFiles(x86)%\winlogbeat-8.13.4" --path.data "%ALLUSERSPROFILE%\winlogbeat" --path.log...
Executes the following
  • '<SYSTEM32>\wevtutil.exe' um "%TEMP%\MANCD24.tmp"
  • '<SYSTEM32>\wevtutil.exe' im "%TEMP%\MANCEFA.tmp"
  • '<SYSTEM32>\sc.exe' config winlogbeat start= delayed-auto
  • '<SYSTEM32>\sc.exe' start Winlogbeat

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play