62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077

Analysis

max time kernel
4s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64028b0dc46078f1e2e49f41372d3273.exe
Size

196KB
MD5

64028b0dc46078f1e2e49f41372d3273
SHA1

bdb89a3aaabbc31167c8e5ccd4b23dfd178255d1
SHA256

62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077
SHA512

18790a92ac918af35df3c36d8b20e5beacd075a25309b1e50acf13c5e06e6550618c51f702877b8e051c4be227ef446ce74fc0d5a46b704850edbcd4f3a427fd
SSDEEP

6144:0xg+KSsJsbCvxRmv8SGKBtw30F5Tvv6x1V:29KfJ+A8B/Ftvv6x1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
1704	wmi.exe
4604	wmi.exe
2876	wmi.exe
4556	wmi.exe
2672	wmi.exe
1436	wmi.exe
2692	wmi.exe
4104	wmi.exe
5028	wmi.exe
2412	wmi.exe
2488	wmi.exe
3664	wmi.exe
912	wmi.exe
4372	wmi.exe
4896	wmi.exe
5080	wmi.exe
4544	wmi.exe
2120	wmi.exe
1624	wmi.exe
4580	wmi.exe
4340	wmi.exe
2592	wmi.exe
5040	wmi.exe
536	wmi.exe
2276	wmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	64028b0dc46078f1e2e49f41372d3273.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	64028b0dc46078f1e2e49f41372d3273.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	64028b0dc46078f1e2e49f41372d3273.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	64028b0dc46078f1e2e49f41372d3273.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	64028b0dc46078f1e2e49f41372d3273.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	wmi.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe	wmi.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat	wmi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3316	64028b0dc46078f1e2e49f41372d3273.exe
3316	64028b0dc46078f1e2e49f41372d3273.exe
3316	64028b0dc46078f1e2e49f41372d3273.exe
3316	64028b0dc46078f1e2e49f41372d3273.exe
3316	64028b0dc46078f1e2e49f41372d3273.exe
3316	64028b0dc46078f1e2e49f41372d3273.exe
1704	wmi.exe
1704	wmi.exe
1704	wmi.exe
1704	wmi.exe
1704	wmi.exe
1704	wmi.exe
4604	wmi.exe
4604	wmi.exe
4604	wmi.exe
4604	wmi.exe
4604	wmi.exe
4604	wmi.exe
2876	wmi.exe
2876	wmi.exe
2876	wmi.exe
2876	wmi.exe
2876	wmi.exe
2876	wmi.exe
4556	wmi.exe
4556	wmi.exe
4556	wmi.exe
4556	wmi.exe
4556	wmi.exe
4556	wmi.exe
2672	wmi.exe
2672	wmi.exe
2672	wmi.exe
2672	wmi.exe
2672	wmi.exe
2672	wmi.exe
1436	wmi.exe
1436	wmi.exe
1436	wmi.exe
1436	wmi.exe
1436	wmi.exe
1436	wmi.exe
2692	wmi.exe
2692	wmi.exe
2692	wmi.exe
2692	wmi.exe
2692	wmi.exe
2692	wmi.exe
4104	wmi.exe
4104	wmi.exe
4104	wmi.exe
4104	wmi.exe
4104	wmi.exe
4104	wmi.exe
5028	wmi.exe
5028	wmi.exe
5028	wmi.exe
5028	wmi.exe
5028	wmi.exe
5028	wmi.exe
2412	wmi.exe
2412	wmi.exe
2412	wmi.exe
2412	wmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1704	3316	64028b0dc46078f1e2e49f41372d3273.exe	32
PID 3316 wrote to memory of 1704	3316	64028b0dc46078f1e2e49f41372d3273.exe	32
PID 3316 wrote to memory of 1704	3316	64028b0dc46078f1e2e49f41372d3273.exe	32
PID 1704 wrote to memory of 4604	1704	wmi.exe	34
PID 1704 wrote to memory of 4604	1704	wmi.exe	34
PID 1704 wrote to memory of 4604	1704	wmi.exe	34
PID 4604 wrote to memory of 2876	4604	wmi.exe	38
PID 4604 wrote to memory of 2876	4604	wmi.exe	38
PID 4604 wrote to memory of 2876	4604	wmi.exe	38
PID 2876 wrote to memory of 4556	2876	wmi.exe	82
PID 2876 wrote to memory of 4556	2876	wmi.exe	82
PID 2876 wrote to memory of 4556	2876	wmi.exe	82
PID 4556 wrote to memory of 2672	4556	wmi.exe	39
PID 4556 wrote to memory of 2672	4556	wmi.exe	39
PID 4556 wrote to memory of 2672	4556	wmi.exe	39
PID 2672 wrote to memory of 1436	2672	wmi.exe	40
PID 2672 wrote to memory of 1436	2672	wmi.exe	40
PID 2672 wrote to memory of 1436	2672	wmi.exe	40
PID 1436 wrote to memory of 2692	1436	wmi.exe	41
PID 1436 wrote to memory of 2692	1436	wmi.exe	41
PID 1436 wrote to memory of 2692	1436	wmi.exe	41
PID 2692 wrote to memory of 4104	2692	wmi.exe	73
PID 2692 wrote to memory of 4104	2692	wmi.exe	73
PID 2692 wrote to memory of 4104	2692	wmi.exe	73
PID 4104 wrote to memory of 5028	4104	wmi.exe	69
PID 4104 wrote to memory of 5028	4104	wmi.exe	69
PID 4104 wrote to memory of 5028	4104	wmi.exe	69
PID 5028 wrote to memory of 2412	5028	wmi.exe	67
PID 5028 wrote to memory of 2412	5028	wmi.exe	67
PID 5028 wrote to memory of 2412	5028	wmi.exe	67
PID 2412 wrote to memory of 2488	2412	wmi.exe	66
PID 2412 wrote to memory of 2488	2412	wmi.exe	66
PID 2412 wrote to memory of 2488	2412	wmi.exe	66
PID 2488 wrote to memory of 3664	2488	wmi.exe	65
PID 2488 wrote to memory of 3664	2488	wmi.exe	65
PID 2488 wrote to memory of 3664	2488	wmi.exe	65
PID 3664 wrote to memory of 912	3664	wmi.exe	62
PID 3664 wrote to memory of 912	3664	wmi.exe	62
PID 3664 wrote to memory of 912	3664	wmi.exe	62
PID 912 wrote to memory of 4372	912	wmi.exe	58
PID 912 wrote to memory of 4372	912	wmi.exe	58
PID 912 wrote to memory of 4372	912	wmi.exe	58
PID 4372 wrote to memory of 4896	4372	wmi.exe	56
PID 4372 wrote to memory of 4896	4372	wmi.exe	56
PID 4372 wrote to memory of 4896	4372	wmi.exe	56
PID 4896 wrote to memory of 5080	4896	wmi.exe	53
PID 4896 wrote to memory of 5080	4896	wmi.exe	53
PID 4896 wrote to memory of 5080	4896	wmi.exe	53
PID 5080 wrote to memory of 4544	5080	wmi.exe	46
PID 5080 wrote to memory of 4544	5080	wmi.exe	46
PID 5080 wrote to memory of 4544	5080	wmi.exe	46
PID 4544 wrote to memory of 2120	4544	wmi.exe	48
PID 4544 wrote to memory of 2120	4544	wmi.exe	48
PID 4544 wrote to memory of 2120	4544	wmi.exe	48
PID 2120 wrote to memory of 1624	2120	wmi.exe	49
PID 2120 wrote to memory of 1624	2120	wmi.exe	49
PID 2120 wrote to memory of 1624	2120	wmi.exe	49
PID 1624 wrote to memory of 4580	1624	wmi.exe	50
PID 1624 wrote to memory of 4580	1624	wmi.exe	50
PID 1624 wrote to memory of 4580	1624	wmi.exe	50
PID 4580 wrote to memory of 4340	4580	wmi.exe	51
PID 4580 wrote to memory of 4340	4580	wmi.exe	51
PID 4580 wrote to memory of 4340	4580	wmi.exe	51
PID 4340 wrote to memory of 2592	4340	wmi.exe	52

C:\Users\Admin\AppData\Local\Temp\64028b0dc46078f1e2e49f41372d3273.exe
"C:\Users\Admin\AppData\Local\Temp\64028b0dc46078f1e2e49f41372d3273.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe" > nul
    3⤵
    PID:7868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del /f /q "C:\Users\Admin\AppData\Local\Temp\64028B~1.EXE" > nul
  2⤵
  PID:7836

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4104

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
  C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
    C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
      C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        9⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        10⤵
        
        PID:664
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        11⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        12⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        13⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        14⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        15⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        16⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        17⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        18⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        19⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        20⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        21⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        22⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        23⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        24⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        25⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        26⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        27⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        28⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        29⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        30⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        31⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        32⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        33⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        34⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        35⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        36⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        37⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        38⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        39⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        40⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        41⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        42⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        43⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        44⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        45⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        46⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        47⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        48⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        49⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        50⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        51⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        52⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        53⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        54⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        55⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        56⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        57⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        58⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        59⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        60⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        61⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        62⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        63⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        64⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        65⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        66⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        67⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        68⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        69⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        70⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        71⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        72⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        73⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        74⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        75⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        76⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        77⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        78⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        79⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        80⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        81⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        82⤵
        
        PID:8
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        83⤵
        
        PID:552
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        84⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        85⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        86⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        87⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        88⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        89⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        90⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        91⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        92⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        93⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        94⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        95⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        96⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        97⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        98⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        99⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        100⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        101⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        102⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        103⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        104⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        105⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        106⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        107⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        108⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        109⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        110⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        111⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        112⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        113⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        114⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        115⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        116⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        117⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        118⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        119⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        120⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        121⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        122⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        123⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        124⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        125⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        126⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        127⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        128⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        129⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        130⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        131⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        132⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        133⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        134⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        135⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        136⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        137⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        138⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        139⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        140⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        141⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        142⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        143⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        144⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        145⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        146⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        147⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        148⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        149⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        150⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        151⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        152⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        153⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        154⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        155⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        156⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        157⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        158⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        159⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        160⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        161⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        162⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        163⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        164⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        165⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        166⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        167⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        168⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        169⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        170⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        171⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        172⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        173⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        174⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        175⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        176⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        177⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        178⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        179⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        180⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        181⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        182⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        183⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        184⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
        
        C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
        185⤵
        
        PID:7900

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe
C:\Windows\system32\GroupPolicy\User\Scripts\Logon\wmi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\autorun.bat

Filesize
9B

MD5
225ef0f3451c1d3837c05335f0daaa46

SHA1
fae3701a79e6777d5cccd1428d94d293268fd8ce

SHA256
8114b2ecc85add5b62eea09251cbdfa19e378e47f4bbe23421765e72e0874fea

SHA512
14264a145bc482f82a5e221a89e7d9b348206ed1b644e5ea4ce4eaf696e0f040bc392c21e9cb1b3d92a5d5e64e1f66d0f69ae80b010ff6a07921558b9aa15137

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
124KB

MD5
06e76d2e0f6c548ce4db8ae64fa18b84

SHA1
c5e23f107da5104b524d9d11204e6edcb2bc202c

SHA256
9e2dfb4e9b0bcca788e7f6048d2b58a2f7cc57fed1d9007c5d6cc4127495c359

SHA512
ffd057bbc2aa896fa80af67d25432975d46fdcebc677640240650865886d571d4e1d263b5993b5085f70313f7d61490d7a63051bdf9d4c9186f23346d181206f

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
68KB

MD5
ab043b0dd3e7656cdeb6b0b809566972

SHA1
b5908b153da063fec6ad0db3b45d66a68d5dcc5b

SHA256
fee743945259b0848fdf9067ae864638f77e366b45d49c0e1e52520e554e3436

SHA512
b07e3586fe3b3c5ba2cea8dd08d2efe5a8557b72dde3277881d6f0d5855fe760063d6cdacf6a4f040018f156424e15b4c1a7b8261e88f175b6845f2124015408

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
45KB

MD5
2a58c486d8bc0adaa7239031cce282a9

SHA1
954e1175dd23af8ac6cb52d3b340b82702fc7883

SHA256
8188dca59c624c8bd49e483d1ab43f55d6a7ac6b6a21f9b4ee0233b10461a4e9

SHA512
336392fb76f4add9945062870f5889d55ce7cbfa9e0f42b8a4ac072bafb7b286371a814b70fce90e94a63d506639ae4b9284e87d3d868dded2e16fba5983ad9e

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
40KB

MD5
766d9a91cb368b9e153c9dad4b31f48c

SHA1
997a50e4ee664732d805b42ecfdbccf2c99a575d

SHA256
2f0c1b26568b6a00e257905c9b172e531414390f30d45bbb185de46d3e4403ce

SHA512
91113ed65b0a9b92d4cd9186cd2f56531de2ded25ff9b9f7d74b6b20951e6ba71b6953d2831b734981dcf0cdcf9e7504c36865e269f1e35444b1f4a5bee7484b

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
21KB

MD5
bd3291d752486f130e32e9edca438ee9

SHA1
d8057d12e41226028edf7a84bb6c85afe054dc99

SHA256
2cb885b8303b4261b5b55fa7cb1a69168365d203bab4a69935b15a49703fb4bb

SHA512
a97b97e4c73aee129d81a79a073596a3fade951a54c9f786d50138654718d2b1d401dd14ef0cf50b77a84bc67bb19eac274b8557efb8b04ceca282363f6eecf0

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
147KB

MD5
e8b94aa81e7dcf838496d1e0a83ec219

SHA1
230d2058bc56c057c53cb92aa5984d7d582ecf7d

SHA256
0ee78eab5b7d3e7dc7440af97ee1236b2420e76fb7c1d399c71a70e722edc822

SHA512
eb331da22e12e04f632e1b0a259e7760d0ba33ee974ce5d06ec2bcc227120c771a635454bf3eef1051f69908ab9855b410367a195564e8136e0f848101e4de8e

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
97KB

MD5
6ece11486dc82fd5a5d33398df938615

SHA1
c4bd99f53604a59a54152f7c85c4dc0c9ce5bfb0

SHA256
a61ff63239a7bb022eddd86afb51672b500d9f515da2e164b8a1e65b2aa2f730

SHA512
652a12825f185c6cfacb0b7efa1d99d876c9bd67b13c26c52824b7aaf4f8357214206f7041eb1b0145704c40ea6b6b37bb65d18d56f9555125f291d09ee7532f

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
196KB

MD5
64028b0dc46078f1e2e49f41372d3273

SHA1
bdb89a3aaabbc31167c8e5ccd4b23dfd178255d1

SHA256
62834214d7284ddb935afd40b7b6ec0d2b9a138333bb33a0e386c6793afbf077

SHA512
18790a92ac918af35df3c36d8b20e5beacd075a25309b1e50acf13c5e06e6550618c51f702877b8e051c4be227ef446ce74fc0d5a46b704850edbcd4f3a427fd

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
40KB

MD5
29daf1cf220402ed052c73f5e7ae363d

SHA1
fb248fc2758e5b2156158e7f396be7a1fbdf1442

SHA256
4ff9294c94e1543839c9614cb26dcb4a14fdc1011cb47e635f0f1cfcaa820135

SHA512
de404f85738e143a18d4a543d9594f3bf4262e8f08696c062bb7d6b2f73df717a11e1df91a5dd4b5744d39b2007d0aca4de396c84e4d90105b0610346dfcd513

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\Logon\wmi.exe

Filesize
124KB

MD5
052db78262b5319fe255701da65ae606

SHA1
2e4ad08a7e738f126e5a691803be6540a9be9c2d

SHA256
8b4785c493d3959283d5c7d89471245815b82c4fbca9441267858c91163cfa37

SHA512
c6f23d51a09a2a02091838fd83b2beac9246928c0b1e27ffeea5b34350f48e588ab4939b7631f3676410210d91af504eb78ef1041c14ec29e9f48ae284af8603

Download Submit
C:\Windows\SysWOW64\GroupPolicy\User\Scripts\scripts.ini

Filesize
49B

MD5
24dadffd3eb142e1b510808fa1f41a16

SHA1
3f07d82c09b37de7c962b07abd30821674590658

SHA256
e00c8a2cbb301f52e8cff491e04657a6218bd569d2c9ff80a06b19d748e3d8dc

SHA512
de98151900c07e44e25168215f751781a2f00f6dc261e0c7774eb22418da1dd48d9cdb3c6f87657a0f8fb45350f3c23a54019fd1b1d2f0c7b3fb9a4e77bc07fe

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Filesize
263B

MD5
aa213b03fdf5a0d6d97bac1b4c8f20e4

SHA1
f5e1e150c2691d339a339a88f222df9c13a2dc8b

SHA256
cb4da959a75b71fcf859cbf2a4a16892e7bd84537cfdcdd208a544cf8e994fa4

SHA512
cfb69d5086aa7846edacb1fc12fa8ff3e562c131682bf12bd48af98eba8d09c69a93a4f1590e1e08724213b3f3862894838002757fa5a6536462149f9a831b22

Download Submit
memory/912-137-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/912-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/912-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1436-60-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1436-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1624-180-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1624-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1704-10-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1704-11-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1704-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1704-18-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2120-178-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2120-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2412-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2412-101-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2412-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2488-117-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2488-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2488-110-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2672-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2672-57-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2692-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2692-76-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2876-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2876-69-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2876-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2876-30-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2876-31-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3316-1-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3316-41-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3316-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3316-2-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3316-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3664-121-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3664-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3664-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4104-81-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4104-82-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4104-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4104-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4340-191-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4340-192-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4372-141-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4372-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4372-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4544-168-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4544-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4556-48-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/4556-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4556-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4580-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4580-186-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4604-20-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4604-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4604-27-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4896-184-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-157-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/5028-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5028-98-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/5028-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5080-190-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5080-166-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/5080-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download