62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077

Analysis

max time kernel
31s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64028b0dc46078f1e2e49f41372d3273.exe
Size

196KB
MD5

64028b0dc46078f1e2e49f41372d3273
SHA1

bdb89a3aaabbc31167c8e5ccd4b23dfd178255d1
SHA256

62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077
SHA512

18790a92ac918af35df3c36d8b20e5beacd075a25309b1e50acf13c5e06e6550618c51f702877b8e051c4be227ef446ce74fc0d5a46b704850edbcd4f3a427fd
SSDEEP

6144:0xg+KSsJsbCvxRmv8SGKBtw30F5Tvv6x1V:29KfJ+A8B/Ftvv6x1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2296	wmi.exe
2728	wmi.exe
3036	wmi.exe
2712	wmi.exe
2608	wmi.exe
2868	wmi.exe
660	wmi.exe
272	wmi.exe
2972	wmi.exe
2808	wmi.exe
2564	wmi.exe
560	wmi.exe
2888	wmi.exe
1904	wmi.exe
2936	wmi.exe
1796	wmi.exe
1640	wmi.exe
616	wmi.exe
1992	wmi.exe
3048	wmi.exe
2424	wmi.exe
2752	wmi.exe
1544	wmi.exe
2056	wmi.exe
412	wmi.exe
2024	wmi.exe
484	wmi.exe
1392	wmi.exe
2440	wmi.exe
1348	wmi.exe
912	wmi.exe
1676	wmi.exe
1664	wmi.exe
1280	wmi.exe
1100	wmi.exe
2244	wmi.exe
1456	wmi.exe
2252	wmi.exe
2124	wmi.exe
2112	wmi.exe
2452	wmi.exe
1708	wmi.exe
872	wmi.exe
2096	wmi.exe
2496	wmi.exe
2448	wmi.exe
1584	wmi.exe
1612	wmi.exe
2432	wmi.exe
2680	wmi.exe
2840	wmi.exe
1980	wmi.exe
2708	wmi.exe
2604	wmi.exe
2324	wmi.exe
2612	wmi.exe
2588	wmi.exe
2740	wmi.exe
2688	wmi.exe
2696	wmi.exe
1272	wmi.exe
2172	wmi.exe
576	wmi.exe
1088	wmi.exe

Loads dropped DLL 64 IoCs

pid	Process
2100	64028b0dc46078f1e2e49f41372d3273.exe
2100	64028b0dc46078f1e2e49f41372d3273.exe
2296	wmi.exe
2296	wmi.exe
2728	wmi.exe
2728	wmi.exe
3036	wmi.exe
3036	wmi.exe
2712	wmi.exe
2712	wmi.exe
2608	wmi.exe
2608	wmi.exe
2868	wmi.exe
2868	wmi.exe
660	wmi.exe
660	wmi.exe
272	wmi.exe
272	wmi.exe
2972	wmi.exe
2972	wmi.exe
2808	wmi.exe
2808	wmi.exe
2564	wmi.exe
2564	wmi.exe
560	wmi.exe
560	wmi.exe
2888	wmi.exe
2888	wmi.exe
1904	wmi.exe
1904	wmi.exe
2936	wmi.exe
2936	wmi.exe
1796	wmi.exe
1796	wmi.exe
1640	wmi.exe
1640	wmi.exe
616	wmi.exe
616	wmi.exe
1992	wmi.exe
1992	wmi.exe
3048	wmi.exe
3048	wmi.exe
2424	wmi.exe
2424	wmi.exe
2752	wmi.exe
2752	wmi.exe
1544	wmi.exe
1544	wmi.exe
2056	wmi.exe
2056	wmi.exe
412	wmi.exe
412	wmi.exe
2024	wmi.exe
2024	wmi.exe
484	wmi.exe
484	wmi.exe
1392	wmi.exe
1392	wmi.exe
2440	wmi.exe
2440	wmi.exe
1348	wmi.exe
1348	wmi.exe
912	wmi.exe
912	wmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	64028b0dc46078f1e2e49f41372d3273.exe
2100	64028b0dc46078f1e2e49f41372d3273.exe
2100	64028b0dc46078f1e2e49f41372d3273.exe
2296	wmi.exe
2296	wmi.exe
2296	wmi.exe
2728	wmi.exe
2728	wmi.exe
2728	wmi.exe
3036	wmi.exe
3036	wmi.exe
3036	wmi.exe
2712	wmi.exe
2712	wmi.exe
2712	wmi.exe
2608	wmi.exe
2608	wmi.exe
2608	wmi.exe
2868	wmi.exe
2868	wmi.exe
2868	wmi.exe
660	wmi.exe
660	wmi.exe
660	wmi.exe
272	wmi.exe
272	wmi.exe
272	wmi.exe
2972	wmi.exe
2972	wmi.exe
2972	wmi.exe
2808	wmi.exe
2808	wmi.exe
2808	wmi.exe
2564	wmi.exe
2564	wmi.exe
2564	wmi.exe
560	wmi.exe
560	wmi.exe
560	wmi.exe
2888	wmi.exe
2888	wmi.exe
2888	wmi.exe
1904	wmi.exe
1904	wmi.exe
1904	wmi.exe
2936	wmi.exe
2936	wmi.exe
2936	wmi.exe
1796	wmi.exe
1796	wmi.exe
1796	wmi.exe
1640	wmi.exe
1640	wmi.exe
1640	wmi.exe
616	wmi.exe
616	wmi.exe
616	wmi.exe
1992	wmi.exe
1992	wmi.exe
1992	wmi.exe
3048	wmi.exe
3048	wmi.exe
3048	wmi.exe
2424	wmi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	64028b0dc46078f1e2e49f41372d3273.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2296	2100	64028b0dc46078f1e2e49f41372d3273.exe	28
PID 2100 wrote to memory of 2296	2100	64028b0dc46078f1e2e49f41372d3273.exe	28
PID 2100 wrote to memory of 2296	2100	64028b0dc46078f1e2e49f41372d3273.exe	28
PID 2100 wrote to memory of 2296	2100	64028b0dc46078f1e2e49f41372d3273.exe	28
PID 2296 wrote to memory of 2728	2296	wmi.exe	29
PID 2296 wrote to memory of 2728	2296	wmi.exe	29
PID 2296 wrote to memory of 2728	2296	wmi.exe	29
PID 2296 wrote to memory of 2728	2296	wmi.exe	29
PID 2728 wrote to memory of 3036	2728	wmi.exe	30
PID 2728 wrote to memory of 3036	2728	wmi.exe	30
PID 2728 wrote to memory of 3036	2728	wmi.exe	30
PID 2728 wrote to memory of 3036	2728	wmi.exe	30
PID 3036 wrote to memory of 2712	3036	wmi.exe	31
PID 3036 wrote to memory of 2712	3036	wmi.exe	31
PID 3036 wrote to memory of 2712	3036	wmi.exe	31
PID 3036 wrote to memory of 2712	3036	wmi.exe	31
PID 2712 wrote to memory of 2608	2712	wmi.exe	45
PID 2712 wrote to memory of 2608	2712	wmi.exe	45
PID 2712 wrote to memory of 2608	2712	wmi.exe	45
PID 2712 wrote to memory of 2608	2712	wmi.exe	45
PID 2608 wrote to memory of 2868	2608	wmi.exe	44
PID 2608 wrote to memory of 2868	2608	wmi.exe	44
PID 2608 wrote to memory of 2868	2608	wmi.exe	44
PID 2608 wrote to memory of 2868	2608	wmi.exe	44
PID 2868 wrote to memory of 660	2868	wmi.exe	32
PID 2868 wrote to memory of 660	2868	wmi.exe	32
PID 2868 wrote to memory of 660	2868	wmi.exe	32
PID 2868 wrote to memory of 660	2868	wmi.exe	32
PID 660 wrote to memory of 272	660	wmi.exe	41
PID 660 wrote to memory of 272	660	wmi.exe	41
PID 660 wrote to memory of 272	660	wmi.exe	41
PID 660 wrote to memory of 272	660	wmi.exe	41
PID 272 wrote to memory of 2972	272	wmi.exe	38
PID 272 wrote to memory of 2972	272	wmi.exe	38
PID 272 wrote to memory of 2972	272	wmi.exe	38
PID 272 wrote to memory of 2972	272	wmi.exe	38
PID 2972 wrote to memory of 2808	2972	wmi.exe	36
PID 2972 wrote to memory of 2808	2972	wmi.exe	36
PID 2972 wrote to memory of 2808	2972	wmi.exe	36
PID 2972 wrote to memory of 2808	2972	wmi.exe	36
PID 2808 wrote to memory of 2564	2808	wmi.exe	33
PID 2808 wrote to memory of 2564	2808	wmi.exe	33
PID 2808 wrote to memory of 2564	2808	wmi.exe	33
PID 2808 wrote to memory of 2564	2808	wmi.exe	33
PID 2564 wrote to memory of 560	2564	wmi.exe	34
PID 2564 wrote to memory of 560	2564	wmi.exe	34
PID 2564 wrote to memory of 560	2564	wmi.exe	34
PID 2564 wrote to memory of 560	2564	wmi.exe	34
PID 560 wrote to memory of 2888	560	wmi.exe	35
PID 560 wrote to memory of 2888	560	wmi.exe	35
PID 560 wrote to memory of 2888	560	wmi.exe	35
PID 560 wrote to memory of 2888	560	wmi.exe	35
PID 2888 wrote to memory of 1904	2888	wmi.exe	37
PID 2888 wrote to memory of 1904	2888	wmi.exe	37
PID 2888 wrote to memory of 1904	2888	wmi.exe	37
PID 2888 wrote to memory of 1904	2888	wmi.exe	37
PID 1904 wrote to memory of 2936	1904	wmi.exe	39
PID 1904 wrote to memory of 2936	1904	wmi.exe	39
PID 1904 wrote to memory of 2936	1904	wmi.exe	39
PID 1904 wrote to memory of 2936	1904	wmi.exe	39
PID 2936 wrote to memory of 1796	2936	wmi.exe	40
PID 2936 wrote to memory of 1796	2936	wmi.exe	40
PID 2936 wrote to memory of 1796	2936	wmi.exe	40
PID 2936 wrote to memory of 1796	2936	wmi.exe	40

C:\Users\Admin\AppData\Local\Temp\64028b0dc46078f1e2e49f41372d3273.exe
"C:\Users\Admin\AppData\Local\Temp\64028b0dc46078f1e2e49f41372d3273.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GROUPP~1\User\Scripts\Logon\wmi.exe" > nul
    3⤵
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Users\Admin\AppData\Local\Temp\64028B~1.EXE" > nul
  2⤵
  PID:3092

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:272

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:616
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2424
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2752
      - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:412
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2024
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:484
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2440
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1348
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:912
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        16⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        17⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        18⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        20⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        21⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        24⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        26⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        27⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        31⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        33⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        34⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        35⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        36⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        38⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        39⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        40⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        41⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        42⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        43⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        44⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        45⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        47⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        48⤵
        
        PID:936
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        49⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        50⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        51⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        52⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        53⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        54⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        55⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        56⤵
        
        PID:296
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        57⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        58⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        59⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        60⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        61⤵
        Drops file in System32 directory
        
        PID:580
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        62⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        63⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        64⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        65⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        66⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        67⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        68⤵
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        69⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        70⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        71⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        72⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        73⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        74⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        75⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        76⤵
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        77⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        78⤵
        
        PID:932
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        79⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        80⤵
        
        PID:760
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        81⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        82⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        83⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        84⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        85⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        86⤵
        
        PID:516
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        87⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        88⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        89⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        90⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        91⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        92⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        93⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        94⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        95⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        96⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        97⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        98⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        99⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        100⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        101⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        102⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        103⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        104⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        105⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        106⤵
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        107⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        108⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        109⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        110⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        111⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        112⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        113⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        114⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        115⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        116⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        117⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        118⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        119⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        120⤵
        
        PID:816
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        121⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        122⤵
        
        PID:688
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        123⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        124⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        125⤵
        
        PID:596
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        126⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        127⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        128⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        129⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        130⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        131⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        132⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        133⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        134⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        135⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        136⤵
        
        PID:320
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        137⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        138⤵
        
        PID:748
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        139⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        140⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        141⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        142⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        143⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        144⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        145⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        146⤵
        
        PID:540
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        147⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        148⤵
        
        PID:976
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        149⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        150⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        151⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        152⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        153⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        154⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        155⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        156⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        157⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        158⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        159⤵
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        160⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        161⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        162⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        163⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        164⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        165⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        166⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        167⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        168⤵
        Drops file in System32 directory
        
        PID:604
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        169⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        170⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        171⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        172⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        173⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        174⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        175⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        176⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        177⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        178⤵
        
        PID:752
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        179⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        180⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        181⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        182⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        183⤵
        
        PID:984
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        184⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        185⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        186⤵
        
        PID:3136

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
9B

MD5
225ef0f3451c1d3837c05335f0daaa46

SHA1
fae3701a79e6777d5cccd1428d94d293268fd8ce

SHA256
8114b2ecc85add5b62eea09251cbdfa19e378e47f4bbe23421765e72e0874fea

SHA512
14264a145bc482f82a5e221a89e7d9b348206ed1b644e5ea4ce4eaf696e0f040bc392c21e9cb1b3d92a5d5e64e1f66d0f69ae80b010ff6a07921558b9aa15137

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
17KB

MD5
fb918da925d3f13fb7205e0f43592e72

SHA1
cf0882fa05e6b1b7e4e42d57fe24f86ae43114b5

SHA256
852988deff94cd229b720dc1050860db42fd06640babb7634ee25f0cbb9fc506

SHA512
c2b6f6866697c634dddb04f17a238ccbdf8b5fa3f51c4e6680ef0d8e51d182ac8c30318714fb564a79faadab03b5a0ba735c11cfb54128c2f53bb12d641a9d76

Download Submit
\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
196KB

MD5
64028b0dc46078f1e2e49f41372d3273

SHA1
bdb89a3aaabbc31167c8e5ccd4b23dfd178255d1

SHA256
62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077

SHA512
18790a92ac918af35df3c36d8b20e5beacd075a25309b1e50acf13c5e06e6550618c51f702877b8e051c4be227ef446ce74fc0d5a46b704850edbcd4f3a427fd

Download Submit
memory/272-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/272-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/272-119-0x0000000001E10000-0x0000000001E90000-memory.dmp

Filesize
512KB

Download
memory/272-108-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/560-152-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/560-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/560-147-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/616-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/616-187-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/616-188-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/660-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/660-136-0x0000000000380000-0x0000000000400000-memory.dmp

Filesize
512KB

Download
memory/660-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/660-100-0x0000000000380000-0x0000000000400000-memory.dmp

Filesize
512KB

Download
memory/1640-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1640-180-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1640-182-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1640-179-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/1796-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1796-173-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1904-163-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1904-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1904-189-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1904-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2100-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2100-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2100-26-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2100-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2100-13-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/2296-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2296-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2296-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2564-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2564-145-0x0000000000270000-0x00000000002F0000-memory.dmp

Filesize
512KB

Download
memory/2564-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2564-140-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2564-146-0x0000000000270000-0x00000000002F0000-memory.dmp

Filesize
512KB

Download
memory/2608-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2608-71-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2712-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2712-53-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2712-60-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2712-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2728-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2728-33-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2728-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2808-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2808-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2808-126-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2868-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2868-84-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2868-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2888-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2888-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2888-154-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2936-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3036-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3036-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3036-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3036-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3036-88-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download