44caliber | 0737631afc73cb9df2de10bd081240bdb79efa2281725ba86d6bc96a79329377

Analysis

max time kernel
5s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incognito.exe
Size

19.1MB
MD5

eb4fb2a7c7b9baecd24417a1de212cb7
SHA1

996a303e8b7d8b772aa691102085d0381a5f8e5e
SHA256

ddce0c6cf20c0367d751d6219cb0a26f2e57f2015c950ed77c12581eb990a2ca
SHA512

6a41b16297289e125758f6d070c924bdcca700bc705775191a282de2169b4e6a1ab40c4f95645aa79015d6e621d61c91b781f08a6de6f9521deccdd69d6e3b0e
SSDEEP

393216:ypIkEfmNmTiBzRc+Ca/fJ+YZcgYTCwyDfBiHmIKOy8kCPI:JkMmai4aXJ+utYTny71Vr8kCPI

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1247477719873359936/wrB74XRj4TlNQ2nBZ-UiFAKT5xaUPOYEcQERM4xeBMpOTpKIiACoITNRdXsYoHlUqHc-

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

incognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	incognito.exe

Executes dropped EXE 9 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	Process
1368	Insidious.exe
3408	Insidious.exe
4948	Insidious.exe
1716	Insidious.exe
5080	Insidious.exe
808	Insidious.exe
2784	Insidious.exe
3016	Insidious.exe
1112	Insidious.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
26	freegeoip.app
48	freegeoip.app
50	freegeoip.app
51	freegeoip.app
54	freegeoip.app
64	freegeoip.app
18	freegeoip.app
55	freegeoip.app
62	freegeoip.app
76	freegeoip.app
77	freegeoip.app
21	freegeoip.app
23	freegeoip.app
32	freegeoip.app
33	freegeoip.app
5	freegeoip.app
6	freegeoip.app
37	freegeoip.app
53	freegeoip.app
61	freegeoip.app
71	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

pid	Process
1368	Insidious.exe
1368	Insidious.exe
1368	Insidious.exe
3408	Insidious.exe
3408	Insidious.exe
4948	Insidious.exe
4948	Insidious.exe
1716	Insidious.exe
1716	Insidious.exe
5080	Insidious.exe
5080	Insidious.exe
5080	Insidious.exe
808	Insidious.exe
808	Insidious.exe
2784	Insidious.exe
2784	Insidious.exe
3016	Insidious.exe
3016	Insidious.exe
3016	Insidious.exe
1112	Insidious.exe
1112	Insidious.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Insidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exeInsidious.exe

description	pid	Process
Token: SeDebugPrivilege	1368	Insidious.exe
Token: SeDebugPrivilege	3408	Insidious.exe
Token: SeDebugPrivilege	4948	Insidious.exe
Token: SeDebugPrivilege	1716	Insidious.exe
Token: SeDebugPrivilege	5080	Insidious.exe
Token: SeDebugPrivilege	808	Insidious.exe
Token: SeDebugPrivilege	2784	Insidious.exe
Token: SeDebugPrivilege	3016	Insidious.exe
Token: SeDebugPrivilege	1112	Insidious.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

incognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exeincognito.exe

description	pid	Process	procid_target
PID 3984 wrote to memory of 1368	3984	incognito.exe	120
PID 3984 wrote to memory of 1368	3984	incognito.exe	120
PID 3984 wrote to memory of 4940	3984	incognito.exe	87
PID 3984 wrote to memory of 4940	3984	incognito.exe	87
PID 3984 wrote to memory of 4940	3984	incognito.exe	87
PID 4940 wrote to memory of 3408	4940	incognito.exe	88
PID 4940 wrote to memory of 3408	4940	incognito.exe	88
PID 4940 wrote to memory of 1588	4940	incognito.exe	89
PID 4940 wrote to memory of 1588	4940	incognito.exe	89
PID 4940 wrote to memory of 1588	4940	incognito.exe	89
PID 1588 wrote to memory of 4948	1588	incognito.exe	94
PID 1588 wrote to memory of 4948	1588	incognito.exe	94
PID 1588 wrote to memory of 4792	1588	incognito.exe	95
PID 1588 wrote to memory of 4792	1588	incognito.exe	95
PID 1588 wrote to memory of 4792	1588	incognito.exe	95
PID 4792 wrote to memory of 1716	4792	incognito.exe	96
PID 4792 wrote to memory of 1716	4792	incognito.exe	96
PID 4792 wrote to memory of 1856	4792	incognito.exe	97
PID 4792 wrote to memory of 1856	4792	incognito.exe	97
PID 4792 wrote to memory of 1856	4792	incognito.exe	97
PID 1856 wrote to memory of 5080	1856	incognito.exe	98
PID 1856 wrote to memory of 5080	1856	incognito.exe	98
PID 1856 wrote to memory of 1060	1856	incognito.exe	99
PID 1856 wrote to memory of 1060	1856	incognito.exe	99
PID 1856 wrote to memory of 1060	1856	incognito.exe	99
PID 1060 wrote to memory of 808	1060	incognito.exe	102
PID 1060 wrote to memory of 808	1060	incognito.exe	102
PID 1060 wrote to memory of 2836	1060	incognito.exe	103
PID 1060 wrote to memory of 2836	1060	incognito.exe	103
PID 1060 wrote to memory of 2836	1060	incognito.exe	103
PID 2836 wrote to memory of 2784	2836	incognito.exe	309
PID 2836 wrote to memory of 2784	2836	incognito.exe	309
PID 2836 wrote to memory of 3456	2836	incognito.exe	105
PID 2836 wrote to memory of 3456	2836	incognito.exe	105
PID 2836 wrote to memory of 3456	2836	incognito.exe	105
PID 3456 wrote to memory of 3016	3456	incognito.exe	108
PID 3456 wrote to memory of 3016	3456	incognito.exe	108
PID 3456 wrote to memory of 1708	3456	incognito.exe	202
PID 3456 wrote to memory of 1708	3456	incognito.exe	202
PID 3456 wrote to memory of 1708	3456	incognito.exe	202
PID 1708 wrote to memory of 1112	1708	incognito.exe	111
PID 1708 wrote to memory of 1112	1708	incognito.exe	111
PID 1708 wrote to memory of 2328	1708	incognito.exe	375
PID 1708 wrote to memory of 2328	1708	incognito.exe	375
PID 1708 wrote to memory of 2328	1708	incognito.exe	375

C:\Users\Admin\AppData\Local\Temp\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\incognito.exe
  "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Users\Admin\AppData\Local\Temp\incognito.exe
    "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\incognito.exe
      "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        10⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        11⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        11⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        12⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        12⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        13⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        13⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        14⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        14⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        15⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        15⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        16⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        16⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        17⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        17⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        18⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        18⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        19⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        19⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        20⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        20⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        21⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        21⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        22⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        22⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        23⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        23⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        24⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        24⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        25⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        25⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        26⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        26⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        27⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        27⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        28⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        28⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        29⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        29⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        30⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        30⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        31⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        31⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        32⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        32⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        33⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        33⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        34⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        34⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        35⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        35⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        36⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        36⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        37⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        37⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        38⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        38⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        39⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        39⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        40⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        40⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        41⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        41⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        42⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        42⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        43⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        43⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        44⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        44⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        45⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        45⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        46⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        46⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        47⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        47⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        48⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        48⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        49⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        49⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        50⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        50⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        51⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        51⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        52⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        52⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        53⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        53⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        54⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        54⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        55⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        55⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        56⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        56⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        57⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        57⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        58⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        58⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        59⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        59⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        60⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        60⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        61⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        61⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        62⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        62⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        63⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        63⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        64⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        64⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        65⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        65⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        66⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        66⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        67⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        67⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        68⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        68⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        69⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        69⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        70⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        70⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        71⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        71⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        72⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        72⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        73⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        73⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        74⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        74⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        75⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        75⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        76⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        76⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        77⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        77⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        78⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        78⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        79⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        79⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        80⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        80⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        81⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        81⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        82⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        82⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        83⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        83⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        84⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        84⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        85⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        85⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        86⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        86⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        87⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        87⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        88⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        88⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        89⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        89⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        90⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        90⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        91⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        91⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        92⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        92⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        93⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        93⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        94⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        94⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        95⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        95⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        96⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        96⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        97⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        97⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        98⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        98⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        99⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        99⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        100⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        100⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        101⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        101⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        102⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        102⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        103⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        103⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        104⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        104⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        105⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        105⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        106⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        106⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        107⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        107⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        108⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        108⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        109⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        109⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        110⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        110⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        111⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        111⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        112⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        112⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        113⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        113⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        114⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        114⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        115⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\incognito.exe
        
        "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
        115⤵
        
        PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
d106852e53b47ea4d196b2b039cab220

SHA1
6f823c8fb0726f5fb8de8a09ce6d3d83cf4344dd

SHA256
92194170b194459d26e0681643a35889498325d729ac45f270b06cd293f226b0

SHA512
5782ebf2badd9c7d2ff5e1b709347eabd501ca208a2df9b96f8b4db0fac153b773936b6a969be850d5f1e1d24d67b8b9b51e10634b1c6311df088c94a1c9deba

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
4107ffaf4b709be5cf8a11450c81592d

SHA1
de486ec6c1ffe190f64a70ae1529386a8f3d9330

SHA256
c2cc39aa9cc8ce25901e7b53d60a07be8d56da437b1f0979ccd9401e7d864d0e

SHA512
1b9c733c3fe82c72365fa2f766f4377519b84d39c6e0755469a455c89283eb055fb28b258e7a7aa505c99907741ebcae07f41ea21ec137cdf21c5202709e6afe

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
5e17952c7bd468d18166766627280f58

SHA1
085c6dc19b55b8ae74296254edb02db8a9cc4eda

SHA256
a0d6780baba4f269bb0df730b28680914e80f700ca540afbf0a9854e530d7b32

SHA512
52da0d3b495c8b519f50e38a9e6cdfbab2d8a5c77a6e27c546187760eefc82f6c5543e224fd9334f607233745de615d4fcc1dd16b0a9ed95b40ee3301bda4c04

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
cd1bd3272fe66d140f94b1adbc0ea7ad

SHA1
3d5ba7c9fb1953bba5119d3d9aee927335b1b618

SHA256
cb15a951428ea890736c25f4a92d59ac94b579bc4a83e38eb9ab927ad4f28912

SHA512
b3dad29a6a3cf033e0528431bc79cd5ab58fa14a836dcb5da42d961717155c712929a6d4778834c1f85224abd93631e6692ba4b0079942100f8cd8b5b83537ec

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
9d91b6bcf99eac841fbf4642a6f373a2

SHA1
37b7241a872e1a86cd398b904ccfceb2adb5ca38

SHA256
969b6ea9d96820f9f50eb57e1cdc94f0769f114f8748488b616085b84f5ebd21

SHA512
c11c0669b7065813c8be6271f5423fa072ded05763aff32d8334291d55ef4c1434095386658b0723003cdd1fe2c703495612cc3ccab1f9eb63840060503240e6

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
630B

MD5
aef24d8d3c507674cea8b016e2f4e6a3

SHA1
411eb0cddf04fa969a50736544ac4a6a9a545b80

SHA256
0fe82ba06f72db753abdf7a51b016bb6ccb880deb1850f56c921264fb2d419da

SHA512
33904ba625025eb67370ac60d07a2150cb3e4228867716f109e7fb9a470e71987178f1aa209eac6de20734e4e41fbb336c0e9671b4397dab90edc2d6c41b883f

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
735B

MD5
fc161acb0edaa484d705d83835de0e24

SHA1
00850bbea1ef2db2a16dbb4427822bffbb173d54

SHA256
6f355f6b050ea450b7f36f8c66121c77fbd5fbf62fba28a5c3305e37977342be

SHA512
fdccf446d488e5561c71096e00200d384c7870d546433b8dffea7bad1807cc14a98bc6837dd10e12e8fbf70482cce8cf15b02062bbd1bd39dfc416dc67381a0e

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
840B

MD5
971ecc731c37e087eb498ad9b32176be

SHA1
4cc4e656576649b880d8955aa10dbba5d3a22595

SHA256
8904b66dd1f6bb95359c7d548e269fc6fdfa2ed14c5290d71e116b83ca378286

SHA512
795063bb46a87bb10e4a5946c09458b9b12945c44d646cdacef484d21665ab2d09215d842be5569d5af218021537c1c7bf8c744ed52d9e171668ab84ea2e0bf9

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
945B

MD5
8dd9900279fe6486c0537d9034dd697e

SHA1
d87b27950310c9aead27186efd38f06d2969c0b9

SHA256
634774b203d06dc004ce949e1f9477d27245a8e41a394ada4658dea906161607

SHA512
3ca58bf2f1cb1577c30f62a2d9e4d393ef9f33b94c74ccd8634e39902b229067455a9b2010dfde4341a2607160bfb1733fb166bf2976606db60cc72860b89ed6

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
465293bdf31a52c688ae052238ccd304

SHA1
e444f2f05f4c2fb491b3172a079c2fcd79ce09da

SHA256
236b2f8dc79fac9226c8924a41497dbb08c07b4db6f0499073ef165253c5a1d2

SHA512
64b82fb47e8e87e8afaa06ca1c88abd38266a9fbb23fda1e104ee467762ea33ddda2ec739ed899db8e81e919698d56ce3d483d975a1318447b88c4378c271f1b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
e942bc6e31dbc18ed9253e78ac5fb486

SHA1
0daa1675a02537b2944460a5fe5a923bb760e14d

SHA256
80895a5b17b47415fc582408d297c2b9a78d31a22642f0e4b1fd055bfabeb4b1

SHA512
711a8e757a9de1019468045cd14b55b10755853de65d936c7b402bbb76ce3d0ece184e0854a9a315476d753c95f27e5765f856d0b51ebe4523edcac8230ca7a9

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
2ea3f735a3ea89864ae78f439686a1e0

SHA1
41579eed69f5bc48e999694fedc461973be221fb

SHA256
391b224dc58b70c4be6a28c5af7779b3638026bdbf9a4713e238d5e2247d464e

SHA512
8cdd93dfc93402b068c9c40f324a0088044fea771554dccbb854ff989d3ae8a44e9dd7532e00f0580c54d48cb285a339d1b90a0d302b6cfabd47e857081a100b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
dd4e699dd580386660a90219c0248369

SHA1
8cb8ee444c9779be940b1b4315493663dd426c26

SHA256
f623b988da163271b6443a651ecf8555819665ccebe91c68769d2e1d6c99e9b1

SHA512
b01308a04a037485afc193ac72403f4b0884cb8b8bfe0cc53f6a32d407e31305cb388e668f587b3058869ae573e5746bf3977f53383959995b7665065d98773f

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
1KB

MD5
2e3eb8df657f151f4320fd9c46de39a8

SHA1
a14b219af6665844e62039d9b9066b4d142e24c9

SHA256
53588399e86c6300ab4c65b0b909224b528dad507c39386b4b886525a1bf81f8

SHA512
ecc8a5d81af26f2c5f07210e06128088f8033e625695a75d1871555a3215785f168bcd9df580dea92856cbd4d3339251a7a07a3fb0ea5d028b18eab8902964ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Insidious.exe.log

Filesize
422B

MD5
6b273e0cbcea417b261afe54d2c7a997

SHA1
caaae505b76884ba95b2465c95c1a47144ecaf8f

SHA256
5e96a6e6a2e5a7216941871f67b8e683b9eea2be80d66d7542b65a6491ba5480

SHA512
968d8a83c63c3029a122e9fc647663f5af261e12a7b23164ed514600174befad6ec3e3767de71607062c9dc37e2968a991b55fa76e35064c3819f960fb7ba196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
303KB

MD5
322f8b7008ed4457f45940ed469d62f7

SHA1
06abe0b813b136fb2e62a660be349d206c8fbc05

SHA256
af6f00b5151639a898102be5e0f3ce8cfb9e5e54019ebe2a7c9c61f72b612139

SHA512
fc94e2fd700fbea5ffcadaf00e33f79b8ffc565b34b7b9d7494437ce7b9b06bd1b994daf6db74093a0487200e5195a5622d73e410b8dd9bac9880abfcb9a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\incognito\incognito\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5853.tmp.dat

Filesize
100KB

MD5
78855c87b9d2682c8141f1afe227dd1d

SHA1
8b0bf8584c49cf70bebb1b289f765532eb0cb127

SHA256
c9217d14f586d9e694446bcf76f67442b2440af2a3bce5fa593194bcd314f4e0

SHA512
cb54bb1683f31ef4f5f4766745909a48dbf61cbbff409a3a596d8b71d65a9f879c47eb479c67e58dd3a05a0049d5bdbd4215242490a9f552ad131d5ef95975b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5856.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CF6.tmp.dat

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CF7.tmp.tmpdb

Filesize
5.0MB

MD5
8893dfa5ec4242a611d84e73ae9b1285

SHA1
db5c47e24f359fe7fbfa83cf2547ee7d4a78cb32

SHA256
631b7211917f7d40aff81bbe5cbb383c1570198fec51d29cabb827f006bd94ff

SHA512
ad1a66132aae4066649dc20e6ba046ee1dda3f2251052783ff39e0f7bee02c4c5d606a727c68a2ba58d309454e8ac91f96317d08b94fc4072891a3d979d415ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D2A.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D2B.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D4B.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/1368-83-0x00007FF917200000-0x00007FF917CC1000-memory.dmp

Filesize
10.8MB

Download
memory/1368-54-0x00007FF917200000-0x00007FF917CC1000-memory.dmp

Filesize
10.8MB

Download
memory/1368-46-0x000002EE645A0000-0x000002EE645F2000-memory.dmp

Filesize
328KB

Download
memory/1368-47-0x00007FF917203000-0x00007FF917205000-memory.dmp

Filesize
8KB

Download