Hi I have singed up on this site to share my experience with this same exact problem in the last 48 hours. I have the same exact symptoms. Winlogon.exe is reaching out to the same IP and more malware are eventually loaded. The original offender is currently undetectable. I managed to find out how I was getting infected. It turns out an exe file is being loaded automatically via a script that I have. The original exe, which is present in a network share, was modified “somehow” in the last few days. Once this exe runs, Winlongon.exe starts to connect to the IP automatically and the rest of the malware follows. The file has been submitted to the AV company but after 2 days they haven't been successful in deconstructing the virus. Once I know more about the behavior I will try to post here. Good luck