ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

Analysis

max time kernel
111s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe
Size

197KB
MD5

b65e17a82359a42bf03921ced0fff478
SHA1

62f05f4f1f50e48e2754f54d363ea3cb4156e898
SHA256

ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b
SHA512

a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a
SSDEEP

3072:Hg8BVsYVr1MQNqAhXMFBXaeJl3OMhCLnU7314Hn7ei2oYVIUu+s4YErKqe:LPJPMENa1JlpanU7KH7jYV/FrKq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4232	winlogo.exe
4684	winlogo.exe
3796	winlogo.exe
176	winlogo.exe
1892	winlogo.exe
3636	winlogo.exe
3368	winlogo.exe
1216	winlogo.exe
5064	winlogo.exe
2472	winlogo.exe
1872	winlogo.exe
4336	winlogo.exe
508	winlogo.exe
1184	winlogo.exe
4224	winlogo.exe
3772	winlogo.exe
3496	winlogo.exe
1812	winlogo.exe
2208	winlogo.exe
4400	winlogo.exe
2236	winlogo.exe
792	winlogo.exe
1576	winlogo.exe
2420	winlogo.exe
2124	winlogo.exe
1088	winlogo.exe
4056	winlogo.exe
3792	winlogo.exe
1976	winlogo.exe
1724	winlogo.exe
4200	winlogo.exe
3176	winlogo.exe
4748	winlogo.exe
1712	winlogo.exe
4124	winlogo.exe
1684	winlogo.exe
1560	winlogo.exe
2216	winlogo.exe
3696	winlogo.exe
3480	winlogo.exe
1520	winlogo.exe
2296	winlogo.exe
2868	winlogo.exe
4524	winlogo.exe
4284	winlogo.exe
2732	winlogo.exe
868	winlogo.exe
4584	winlogo.exe
4692	winlogo.exe
4860	winlogo.exe
2152	winlogo.exe
2508	winlogo.exe
2228	winlogo.exe
4720	winlogo.exe
4240	winlogo.exe
3916	winlogo.exe
344	winlogo.exe
992	winlogo.exe
4588	winlogo.exe
4568	winlogo.exe
4044	winlogo.exe
4456	winlogo.exe
3064	winlogo.exe
2460	winlogo.exe

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	winlogo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4748	winlogo.exe
Token: SeIncBasePriorityPrivilege	3176	winlogo.exe
Token: SeIncBasePriorityPrivilege	4200	winlogo.exe
Token: SeIncBasePriorityPrivilege	1724	winlogo.exe
Token: SeIncBasePriorityPrivilege	1976	winlogo.exe
Token: SeIncBasePriorityPrivilege	3792	winlogo.exe
Token: SeIncBasePriorityPrivilege	4056	winlogo.exe
Token: SeIncBasePriorityPrivilege	1088	winlogo.exe
Token: SeIncBasePriorityPrivilege	2124	winlogo.exe
Token: SeIncBasePriorityPrivilege	2420	winlogo.exe
Token: SeIncBasePriorityPrivilege	1576	winlogo.exe
Token: SeIncBasePriorityPrivilege	792	winlogo.exe
Token: SeIncBasePriorityPrivilege	2236	winlogo.exe
Token: SeIncBasePriorityPrivilege	4400	winlogo.exe
Token: SeIncBasePriorityPrivilege	2208	winlogo.exe
Token: SeIncBasePriorityPrivilege	1812	winlogo.exe
Token: SeIncBasePriorityPrivilege	3496	winlogo.exe
Token: SeIncBasePriorityPrivilege	3772	winlogo.exe
Token: SeIncBasePriorityPrivilege	4224	winlogo.exe
Token: SeIncBasePriorityPrivilege	1184	winlogo.exe
Token: SeIncBasePriorityPrivilege	508	winlogo.exe
Token: SeIncBasePriorityPrivilege	4336	winlogo.exe
Token: SeIncBasePriorityPrivilege	1872	winlogo.exe
Token: SeIncBasePriorityPrivilege	2472	winlogo.exe
Token: SeIncBasePriorityPrivilege	5064	winlogo.exe
Token: SeIncBasePriorityPrivilege	1216	winlogo.exe
Token: SeIncBasePriorityPrivilege	3368	winlogo.exe
Token: SeIncBasePriorityPrivilege	3636	winlogo.exe
Token: SeIncBasePriorityPrivilege	1892	winlogo.exe
Token: SeIncBasePriorityPrivilege	176	winlogo.exe
Token: SeIncBasePriorityPrivilege	3796	winlogo.exe
Token: SeIncBasePriorityPrivilege	4684	winlogo.exe
Token: SeIncBasePriorityPrivilege	4232	winlogo.exe
Token: SeIncBasePriorityPrivilege	3404	ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe
Token: SeIncBasePriorityPrivilege	1712	winlogo.exe
Token: SeIncBasePriorityPrivilege	4124	winlogo.exe
Token: SeIncBasePriorityPrivilege	1684	winlogo.exe
Token: SeIncBasePriorityPrivilege	1560	winlogo.exe
Token: SeIncBasePriorityPrivilege	2216	winlogo.exe
Token: SeIncBasePriorityPrivilege	3696	winlogo.exe
Token: SeIncBasePriorityPrivilege	3480	winlogo.exe
Token: SeIncBasePriorityPrivilege	1520	winlogo.exe
Token: SeIncBasePriorityPrivilege	2296	winlogo.exe
Token: SeIncBasePriorityPrivilege	2868	winlogo.exe
Token: SeIncBasePriorityPrivilege	4524	winlogo.exe
Token: SeIncBasePriorityPrivilege	4284	winlogo.exe
Token: SeIncBasePriorityPrivilege	2732	winlogo.exe
Token: SeIncBasePriorityPrivilege	868	winlogo.exe
Token: SeIncBasePriorityPrivilege	4584	winlogo.exe
Token: SeIncBasePriorityPrivilege	4692	winlogo.exe
Token: SeIncBasePriorityPrivilege	4860	winlogo.exe
Token: SeIncBasePriorityPrivilege	2152	winlogo.exe
Token: SeIncBasePriorityPrivilege	2508	winlogo.exe
Token: SeIncBasePriorityPrivilege	2228	winlogo.exe
Token: SeIncBasePriorityPrivilege	4720	winlogo.exe
Token: SeIncBasePriorityPrivilege	4240	winlogo.exe
Token: SeIncBasePriorityPrivilege	3916	winlogo.exe
Token: SeIncBasePriorityPrivilege	344	winlogo.exe
Token: SeIncBasePriorityPrivilege	992	winlogo.exe
Token: SeIncBasePriorityPrivilege	4588	winlogo.exe
Token: SeIncBasePriorityPrivilege	4568	winlogo.exe
Token: SeIncBasePriorityPrivilege	4044	winlogo.exe
Token: SeIncBasePriorityPrivilege	4456	winlogo.exe
Token: SeIncBasePriorityPrivilege	3064	winlogo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4232	3404	ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe	85
PID 3404 wrote to memory of 4232	3404	ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe	85
PID 3404 wrote to memory of 4232	3404	ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe	85
PID 4232 wrote to memory of 4684	4232	winlogo.exe	86
PID 4232 wrote to memory of 4684	4232	winlogo.exe	86
PID 4232 wrote to memory of 4684	4232	winlogo.exe	86
PID 4684 wrote to memory of 3796	4684	winlogo.exe	87
PID 4684 wrote to memory of 3796	4684	winlogo.exe	87
PID 4684 wrote to memory of 3796	4684	winlogo.exe	87
PID 3796 wrote to memory of 176	3796	winlogo.exe	88
PID 3796 wrote to memory of 176	3796	winlogo.exe	88
PID 3796 wrote to memory of 176	3796	winlogo.exe	88
PID 176 wrote to memory of 1892	176	winlogo.exe	89
PID 176 wrote to memory of 1892	176	winlogo.exe	89
PID 176 wrote to memory of 1892	176	winlogo.exe	89
PID 1892 wrote to memory of 3636	1892	winlogo.exe	90
PID 1892 wrote to memory of 3636	1892	winlogo.exe	90
PID 1892 wrote to memory of 3636	1892	winlogo.exe	90
PID 3636 wrote to memory of 3368	3636	winlogo.exe	91
PID 3636 wrote to memory of 3368	3636	winlogo.exe	91
PID 3636 wrote to memory of 3368	3636	winlogo.exe	91
PID 3368 wrote to memory of 1216	3368	winlogo.exe	92
PID 3368 wrote to memory of 1216	3368	winlogo.exe	92
PID 3368 wrote to memory of 1216	3368	winlogo.exe	92
PID 1216 wrote to memory of 5064	1216	winlogo.exe	93
PID 1216 wrote to memory of 5064	1216	winlogo.exe	93
PID 1216 wrote to memory of 5064	1216	winlogo.exe	93
PID 5064 wrote to memory of 2472	5064	winlogo.exe	94
PID 5064 wrote to memory of 2472	5064	winlogo.exe	94
PID 5064 wrote to memory of 2472	5064	winlogo.exe	94
PID 2472 wrote to memory of 1872	2472	winlogo.exe	95
PID 2472 wrote to memory of 1872	2472	winlogo.exe	95
PID 2472 wrote to memory of 1872	2472	winlogo.exe	95
PID 1872 wrote to memory of 4336	1872	winlogo.exe	96
PID 1872 wrote to memory of 4336	1872	winlogo.exe	96
PID 1872 wrote to memory of 4336	1872	winlogo.exe	96
PID 4336 wrote to memory of 508	4336	winlogo.exe	97
PID 4336 wrote to memory of 508	4336	winlogo.exe	97
PID 4336 wrote to memory of 508	4336	winlogo.exe	97
PID 508 wrote to memory of 1184	508	winlogo.exe	98
PID 508 wrote to memory of 1184	508	winlogo.exe	98
PID 508 wrote to memory of 1184	508	winlogo.exe	98
PID 1184 wrote to memory of 4224	1184	winlogo.exe	99
PID 1184 wrote to memory of 4224	1184	winlogo.exe	99
PID 1184 wrote to memory of 4224	1184	winlogo.exe	99
PID 4224 wrote to memory of 3772	4224	winlogo.exe	100
PID 4224 wrote to memory of 3772	4224	winlogo.exe	100
PID 4224 wrote to memory of 3772	4224	winlogo.exe	100
PID 3772 wrote to memory of 3496	3772	winlogo.exe	101
PID 3772 wrote to memory of 3496	3772	winlogo.exe	101
PID 3772 wrote to memory of 3496	3772	winlogo.exe	101
PID 3496 wrote to memory of 1812	3496	winlogo.exe	102
PID 3496 wrote to memory of 1812	3496	winlogo.exe	102
PID 3496 wrote to memory of 1812	3496	winlogo.exe	102
PID 1812 wrote to memory of 2208	1812	winlogo.exe	103
PID 1812 wrote to memory of 2208	1812	winlogo.exe	103
PID 1812 wrote to memory of 2208	1812	winlogo.exe	103
PID 2208 wrote to memory of 4400	2208	winlogo.exe	104
PID 2208 wrote to memory of 4400	2208	winlogo.exe	104
PID 2208 wrote to memory of 4400	2208	winlogo.exe	104
PID 4400 wrote to memory of 2236	4400	winlogo.exe	105
PID 4400 wrote to memory of 2236	4400	winlogo.exe	105
PID 4400 wrote to memory of 2236	4400	winlogo.exe	105
PID 2236 wrote to memory of 792	2236	winlogo.exe	106

C:\Users\Admin\AppData\Local\Temp\ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe
"C:\Users\Admin\AppData\Local\Temp\ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:176
      - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        33⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        35⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        37⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        39⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        41⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        42⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        43⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        44⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        45⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        46⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        47⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        48⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        49⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        50⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        51⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        52⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        53⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        54⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        55⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        56⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        57⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        58⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        59⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        60⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        61⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        62⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        65⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        66⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        67⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        68⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        69⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        70⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        71⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        72⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        73⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        74⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        75⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        76⤵
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        77⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        78⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        79⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        80⤵
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        81⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        82⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        83⤵
        
        PID:212
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        84⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        85⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        86⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        87⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        88⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        89⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        90⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        91⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        92⤵
        
        PID:404
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        93⤵
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        95⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        96⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        97⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        98⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        99⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        100⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        101⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        102⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        103⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        104⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        105⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        106⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        107⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        108⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        109⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        110⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        111⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        112⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        113⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        114⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        115⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        116⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        117⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        118⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        119⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        120⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        121⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        122⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        123⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        124⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        125⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        126⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        127⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        128⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        129⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        130⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        131⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        132⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        133⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        134⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        135⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        136⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        137⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        138⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        139⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        140⤵
        Drops file in System32 directory
        
        PID:7628
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        141⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe
        142⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        63⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        62⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        61⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        60⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        59⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        58⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        57⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        56⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        55⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        54⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        53⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        52⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        51⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        50⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        49⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        48⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        47⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        46⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        45⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        44⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        43⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        42⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        41⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        40⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        39⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        38⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        37⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        36⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        35⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        34⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        33⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        32⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        31⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        30⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        29⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        28⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        27⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        26⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        25⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        24⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        23⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        22⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        21⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        20⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        19⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        18⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        17⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        16⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        15⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        14⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        13⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        12⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        11⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        10⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        9⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        8⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        7⤵
        
        PID:7856
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        6⤵
        
        PID:8052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
        5⤵
        
        PID:7744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
      4⤵
      PID:7996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe" > nul
    3⤵
    PID:7824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Users\Admin\AppData\Local\Temp\EE8506~1.EXE" > nul
  2⤵
  PID:7688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
13B

MD5
71913a000dbc8bbcfec89a131aa88ba6

SHA1
73140505ad37fe9f0faa324dae38499aedaddc64

SHA256
c463092c3d8d1c5867ae6ab31be744e6c696aebf8b8cd333a09863cfc43c66f9

SHA512
b62c25d774d328fa769298bdfdc83e456929a800514414ddd024e079e3f9279a956104f90ba6f4b404a24ed675a7d4dec6fd6afdea2bef96d7f71f085bb0985b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\winlogo.exe

Filesize
197KB

MD5
b65e17a82359a42bf03921ced0fff478

SHA1
62f05f4f1f50e48e2754f54d363ea3cb4156e898

SHA256
ee8506da91dacbe0410e3da743fa6c8ae98f4b571eecd87fe82687e66cbc7f3b

SHA512
a0828d4d975bed42770d69f3091b140905d050df9ab667eaa921290c4ed073462efc256c070a864610b871db1e8c4966ccced562818801416bf21ab17f337c0a

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
256B

MD5
d45f84baceadc572fb6d8562576d0d3b

SHA1
412dead1c983e04a15639d7dee5a39b53f4bb4a2

SHA256
6d26d215dc24020542e6efed99870da2b403b98684a349761a370c191f8008df

SHA512
3ee25864a4bc53504618de074879581c8eec226e3f2a15c7e3abf0fc98157ecf9be1e2ef5d12b70cb7279dd4c19041b46fb44c7046a08529d063a7588187884b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
memory/176-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/344-315-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/508-229-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/792-245-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/868-292-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/992-316-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1088-256-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1184-230-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1216-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1520-285-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-275-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1576-246-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-274-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1712-271-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1724-260-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-234-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1872-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1892-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1976-259-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2124-248-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2152-303-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2208-235-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2208-320-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2216-276-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2228-305-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2236-243-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2296-286-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2420-247-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2472-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2508-304-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2732-291-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2868-288-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3176-263-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3368-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3404-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3480-278-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3496-233-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3636-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3696-277-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3772-232-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3792-258-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3796-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3916-314-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4044-319-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4056-257-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4124-272-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4200-262-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4224-231-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4232-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4240-313-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4284-290-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4336-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4400-242-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4456-324-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4524-289-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4568-318-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4584-299-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4588-317-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4684-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4692-300-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4720-306-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4748-264-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4860-301-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5064-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download