44caliber | 0737631afc73cb9df2de10bd081240bdb79efa2281725ba86d6bc96a79329377

Analysis

max time kernel
18s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-06-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incognito.exe
Size

19.1MB
MD5

eb4fb2a7c7b9baecd24417a1de212cb7
SHA1

996a303e8b7d8b772aa691102085d0381a5f8e5e
SHA256

ddce0c6cf20c0367d751d6219cb0a26f2e57f2015c950ed77c12581eb990a2ca
SHA512

6a41b16297289e125758f6d070c924bdcca700bc705775191a282de2169b4e6a1ab40c4f95645aa79015d6e621d61c91b781f08a6de6f9521deccdd69d6e3b0e
SSDEEP

393216:ypIkEfmNmTiBzRc+Ca/fJ+YZcgYTCwyDfBiHmIKOy8kCPI:JkMmai4aXJ+utYTny71Vr8kCPI

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1247477719873359936/wrB74XRj4TlNQ2nBZ-UiFAKT5xaUPOYEcQERM4xeBMpOTpKIiACoITNRdXsYoHlUqHc-

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 46 IoCs

pid	Process
3648	Insidious.exe
1804	Insidious.exe
2644	Insidious.exe
4992	Insidious.exe
5000	Insidious.exe
2560	Insidious.exe
708	Insidious.exe
4692	Insidious.exe
224	Insidious.exe
1508	Insidious.exe
4824	Insidious.exe
4084	Insidious.exe
1296	Insidious.exe
196	Insidious.exe
1936	Insidious.exe
2956	Insidious.exe
840	Insidious.exe
1148	Insidious.exe
2632	Insidious.exe
5096	Insidious.exe
2540	Insidious.exe
3756	Insidious.exe
1464	Insidious.exe
4312	Insidious.exe
1172	Insidious.exe
224	Insidious.exe
1740	Insidious.exe
364	Insidious.exe
2640	Insidious.exe
3704	Insidious.exe
3584	Insidious.exe
4768	Insidious.exe
4412	Insidious.exe
1860	Insidious.exe
3028	Insidious.exe
1772	Insidious.exe
836	Insidious.exe
1488	Insidious.exe
4800	Insidious.exe
3108	Insidious.exe
164	Insidious.exe
1352	Insidious.exe
2160	Insidious.exe
2904	Insidious.exe
2404	Insidious.exe
720	Insidious.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
2	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	Insidious.exe
3648	Insidious.exe
3648	Insidious.exe
1804	Insidious.exe
1804	Insidious.exe
2644	Insidious.exe
2644	Insidious.exe
4992	Insidious.exe
4992	Insidious.exe
5000	Insidious.exe
5000	Insidious.exe
2560	Insidious.exe
2560	Insidious.exe
708	Insidious.exe
708	Insidious.exe
4692	Insidious.exe
4692	Insidious.exe
224	Insidious.exe
224	Insidious.exe
1508	Insidious.exe
1508	Insidious.exe
4824	Insidious.exe
4824	Insidious.exe
4084	Insidious.exe
4084	Insidious.exe
1296	Insidious.exe
1296	Insidious.exe
196	Insidious.exe
196	Insidious.exe
1936	Insidious.exe
1936	Insidious.exe
2956	Insidious.exe
2956	Insidious.exe
840	Insidious.exe
840	Insidious.exe
1148	Insidious.exe
1148	Insidious.exe
2632	Insidious.exe
2632	Insidious.exe
5096	Insidious.exe
5096	Insidious.exe
2540	Insidious.exe
2540	Insidious.exe
3756	Insidious.exe
3756	Insidious.exe
1464	Insidious.exe
1464	Insidious.exe
4312	Insidious.exe
4312	Insidious.exe
1172	Insidious.exe
1172	Insidious.exe
224	Insidious.exe
224	Insidious.exe
1740	Insidious.exe
1740	Insidious.exe
364	Insidious.exe
364	Insidious.exe
2640	Insidious.exe
2640	Insidious.exe
3704	Insidious.exe
3704	Insidious.exe
3584	Insidious.exe
3584	Insidious.exe
4768	Insidious.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	Insidious.exe
Token: SeDebugPrivilege	1804	Insidious.exe
Token: SeDebugPrivilege	2644	Insidious.exe
Token: SeDebugPrivilege	4992	Insidious.exe
Token: SeDebugPrivilege	5000	Insidious.exe
Token: SeDebugPrivilege	2560	Insidious.exe
Token: SeDebugPrivilege	708	Insidious.exe
Token: SeDebugPrivilege	4692	Insidious.exe
Token: SeDebugPrivilege	224	Insidious.exe
Token: SeDebugPrivilege	1508	Insidious.exe
Token: SeDebugPrivilege	4824	Insidious.exe
Token: SeDebugPrivilege	4084	Insidious.exe
Token: SeDebugPrivilege	1296	Insidious.exe
Token: SeDebugPrivilege	196	Insidious.exe
Token: SeDebugPrivilege	1936	Insidious.exe
Token: SeDebugPrivilege	2956	Insidious.exe
Token: SeDebugPrivilege	840	Insidious.exe
Token: SeDebugPrivilege	1148	Insidious.exe
Token: SeDebugPrivilege	2632	Insidious.exe
Token: SeDebugPrivilege	5096	Insidious.exe
Token: SeDebugPrivilege	2540	Insidious.exe
Token: SeDebugPrivilege	3756	Insidious.exe
Token: SeDebugPrivilege	1464	Insidious.exe
Token: SeDebugPrivilege	4312	Insidious.exe
Token: SeDebugPrivilege	1172	Insidious.exe
Token: SeDebugPrivilege	224	Insidious.exe
Token: SeDebugPrivilege	1740	Insidious.exe
Token: SeDebugPrivilege	364	Insidious.exe
Token: SeDebugPrivilege	2640	Insidious.exe
Token: SeDebugPrivilege	3704	Insidious.exe
Token: SeDebugPrivilege	3584	Insidious.exe
Token: SeDebugPrivilege	4768	Insidious.exe
Token: SeDebugPrivilege	4412	Insidious.exe
Token: SeDebugPrivilege	1860	Insidious.exe
Token: SeDebugPrivilege	3028	Insidious.exe
Token: SeDebugPrivilege	1772	Insidious.exe
Token: SeDebugPrivilege	836	Insidious.exe
Token: SeDebugPrivilege	1488	Insidious.exe
Token: SeDebugPrivilege	4800	Insidious.exe
Token: SeDebugPrivilege	3108	Insidious.exe
Token: SeDebugPrivilege	164	Insidious.exe
Token: SeDebugPrivilege	1352	Insidious.exe
Token: SeDebugPrivilege	2160	Insidious.exe
Token: SeDebugPrivilege	2904	Insidious.exe
Token: SeDebugPrivilege	2404	Insidious.exe
Token: SeDebugPrivilege	720	Insidious.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3648	4700	incognito.exe	74
PID 4700 wrote to memory of 3648	4700	incognito.exe	74
PID 4700 wrote to memory of 1496	4700	incognito.exe	76
PID 4700 wrote to memory of 1496	4700	incognito.exe	76
PID 4700 wrote to memory of 1496	4700	incognito.exe	76
PID 1496 wrote to memory of 1804	1496	incognito.exe	78
PID 1496 wrote to memory of 1804	1496	incognito.exe	78
PID 1496 wrote to memory of 5092	1496	incognito.exe	79
PID 1496 wrote to memory of 5092	1496	incognito.exe	79
PID 1496 wrote to memory of 5092	1496	incognito.exe	79
PID 5092 wrote to memory of 2644	5092	incognito.exe	81
PID 5092 wrote to memory of 2644	5092	incognito.exe	81
PID 5092 wrote to memory of 2540	5092	incognito.exe	82
PID 5092 wrote to memory of 2540	5092	incognito.exe	82
PID 5092 wrote to memory of 2540	5092	incognito.exe	82
PID 2540 wrote to memory of 4992	2540	incognito.exe	83
PID 2540 wrote to memory of 4992	2540	incognito.exe	83
PID 2540 wrote to memory of 2612	2540	incognito.exe	84
PID 2540 wrote to memory of 2612	2540	incognito.exe	84
PID 2540 wrote to memory of 2612	2540	incognito.exe	84
PID 2612 wrote to memory of 5000	2612	incognito.exe	85
PID 2612 wrote to memory of 5000	2612	incognito.exe	85
PID 2612 wrote to memory of 1464	2612	incognito.exe	86
PID 2612 wrote to memory of 1464	2612	incognito.exe	86
PID 2612 wrote to memory of 1464	2612	incognito.exe	86
PID 1464 wrote to memory of 2560	1464	incognito.exe	87
PID 1464 wrote to memory of 2560	1464	incognito.exe	87
PID 1464 wrote to memory of 2240	1464	incognito.exe	88
PID 1464 wrote to memory of 2240	1464	incognito.exe	88
PID 1464 wrote to memory of 2240	1464	incognito.exe	88
PID 2240 wrote to memory of 708	2240	incognito.exe	89
PID 2240 wrote to memory of 708	2240	incognito.exe	89
PID 2240 wrote to memory of 1820	2240	incognito.exe	90
PID 2240 wrote to memory of 1820	2240	incognito.exe	90
PID 2240 wrote to memory of 1820	2240	incognito.exe	90
PID 1820 wrote to memory of 4692	1820	incognito.exe	91
PID 1820 wrote to memory of 4692	1820	incognito.exe	91
PID 1820 wrote to memory of 3324	1820	incognito.exe	92
PID 1820 wrote to memory of 3324	1820	incognito.exe	92
PID 1820 wrote to memory of 3324	1820	incognito.exe	92
PID 3324 wrote to memory of 224	3324	incognito.exe	127
PID 3324 wrote to memory of 224	3324	incognito.exe	127
PID 3324 wrote to memory of 972	3324	incognito.exe	94
PID 3324 wrote to memory of 972	3324	incognito.exe	94
PID 3324 wrote to memory of 972	3324	incognito.exe	94
PID 972 wrote to memory of 1508	972	incognito.exe	95
PID 972 wrote to memory of 1508	972	incognito.exe	95
PID 972 wrote to memory of 4948	972	incognito.exe	96
PID 972 wrote to memory of 4948	972	incognito.exe	96
PID 972 wrote to memory of 4948	972	incognito.exe	96
PID 4948 wrote to memory of 4824	4948	incognito.exe	97
PID 4948 wrote to memory of 4824	4948	incognito.exe	97
PID 4948 wrote to memory of 4256	4948	incognito.exe	98
PID 4948 wrote to memory of 4256	4948	incognito.exe	98
PID 4948 wrote to memory of 4256	4948	incognito.exe	98
PID 4256 wrote to memory of 4084	4256	incognito.exe	99
PID 4256 wrote to memory of 4084	4256	incognito.exe	99
PID 4256 wrote to memory of 2404	4256	incognito.exe	100
PID 4256 wrote to memory of 2404	4256	incognito.exe	100
PID 4256 wrote to memory of 2404	4256	incognito.exe	100
PID 2404 wrote to memory of 1296	2404	incognito.exe	101
PID 2404 wrote to memory of 1296	2404	incognito.exe	101
PID 2404 wrote to memory of 3716	2404	incognito.exe	102
PID 2404 wrote to memory of 3716	2404	incognito.exe	102

C:\Users\Admin\AppData\Local\Temp\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\incognito.exe
  "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\incognito.exe
    "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\incognito.exe
      "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        14⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        15⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        16⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        17⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        18⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        19⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        20⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        21⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        22⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        23⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        24⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        25⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        26⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        27⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        28⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        29⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        30⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        31⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        32⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        33⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        34⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        35⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        36⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        37⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        38⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        39⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        40⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        41⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        42⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        43⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        44⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        45⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        46⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        47⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        48⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        48⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        49⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        49⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        50⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        50⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        51⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        51⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        52⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        52⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        53⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        53⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        54⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        54⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        55⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        55⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        56⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        56⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        57⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        57⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        58⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        58⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        59⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        59⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        60⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        60⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        61⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        61⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        62⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        62⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        63⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        63⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        64⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        64⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        65⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        65⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        66⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        66⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        67⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        67⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        68⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        68⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        69⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        69⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        70⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        70⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        71⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        71⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        72⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        72⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        73⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        73⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        74⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        74⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        75⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        75⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        76⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        76⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        77⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        77⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        78⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        78⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        79⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        79⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        80⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        80⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        81⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        81⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        82⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        82⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        83⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        83⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        84⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        84⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        85⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        85⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        86⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        86⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        87⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        87⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        88⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        88⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        89⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        89⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        90⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        90⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        91⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        91⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        92⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        92⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        93⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        93⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        94⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        94⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        95⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        95⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        96⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        96⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        97⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        97⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        98⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        98⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        99⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        99⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        100⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        100⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        101⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        101⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        102⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        102⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        103⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        103⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        104⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        104⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        105⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        105⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        106⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        106⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        107⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        107⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        108⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        108⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        109⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        109⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        110⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        110⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        111⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        111⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        112⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        112⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        113⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        113⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        114⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        114⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        115⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        115⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        116⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        116⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        117⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        117⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        118⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        118⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        119⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        119⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        120⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        120⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        121⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        121⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        122⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        122⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        123⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        123⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        124⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        124⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        125⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        125⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        126⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        126⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        127⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        127⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        128⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        128⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        129⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        129⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        130⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        130⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        131⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        131⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        132⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        132⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        133⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        133⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        134⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        134⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        135⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        135⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        136⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        136⤵
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Insidious.exe.log

Filesize
422B

MD5
91956ff35074949b1b46ba17a2fbfa2b

SHA1
de40118e583776ed948431fa0af9cc89d6b12c8b

SHA256
842737052b8f428220890a78b60b4df441b0fbe324b1d7e6a892c7e03f4aa9ae

SHA512
935bee27d0b1e198bbe6b2446afe0d755041dd3ac0b003736143b4df1551a39bf735827b3f352e90c67929dcef89fdbc03563fc0a9a954ef5c07e797fdc6a562

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
303KB

MD5
322f8b7008ed4457f45940ed469d62f7

SHA1
06abe0b813b136fb2e62a660be349d206c8fbc05

SHA256
af6f00b5151639a898102be5e0f3ce8cfb9e5e54019ebe2a7c9c61f72b612139

SHA512
fc94e2fd700fbea5ffcadaf00e33f79b8ffc565b34b7b9d7494437ce7b9b06bd1b994daf6db74093a0487200e5195a5622d73e410b8dd9bac9880abfcb9a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\incognito\incognito\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
memory/3648-43-0x00007FFA76483000-0x00007FFA76484000-memory.dmp

Filesize
4KB

Download
memory/3648-42-0x000001BD691B0000-0x000001BD69202000-memory.dmp

Filesize
328KB

Download
memory/3648-61-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp

Filesize
9.9MB

Download
memory/3648-249-0x00007FFA76483000-0x00007FFA76484000-memory.dmp

Filesize
4KB

Download
memory/3648-264-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp

Filesize
9.9MB

Download