418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
Size

184KB
MD5

a7dc014e8c0270211a3815ed1bd794b9
SHA1

791e06a09f855927ca2e1f1e6ced7f522a766454
SHA256

418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282
SHA512

dcf087955e1622638148ba7fc89e1cfca595cd01fcede9c0a1fc9e209600dad74e2f4fd988574384c6ac6e31ce6667c8c9338b64103fe3b067fa69878f0de8cf
SSDEEP

3072:eWH/U7ogV39ZwrTmeqMGrMivIpIpwW0gfU3J45EUSDpQlnVOF8:eW0oC6rTVG4ivISsJpQlnVOF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2780	Unicorn-17652.exe
2696	Unicorn-29110.exe
2600	Unicorn-34817.exe
2612	Unicorn-21025.exe
1812	Unicorn-46084.exe
1224	Unicorn-27055.exe
2660	Unicorn-14885.exe
1044	Unicorn-33360.exe
348	Unicorn-3188.exe
2308	Unicorn-29276.exe
2932	Unicorn-21662.exe
3036	Unicorn-24206.exe
2064	Unicorn-49457.exe
1328	Unicorn-48710.exe
1076	Unicorn-2202.exe
2016	Unicorn-56878.exe
608	Unicorn-36458.exe
1872	Unicorn-55487.exe
1540	Unicorn-9815.exe
1500	Unicorn-36697.exe
1492	Unicorn-50895.exe
1228	Unicorn-24999.exe
2336	Unicorn-59063.exe
2468	Unicorn-49504.exe
2040	Unicorn-12000.exe
2864	Unicorn-26967.exe
2028	Unicorn-45996.exe
2328	Unicorn-21491.exe
1704	Unicorn-2462.exe
1720	Unicorn-56302.exe
2720	Unicorn-45441.exe
2816	Unicorn-10630.exe
2636	Unicorn-28612.exe
288	Unicorn-49587.exe
2884	Unicorn-57200.exe
2380	Unicorn-2524.exe
296	Unicorn-65368.exe
2908	Unicorn-6629.exe
2788	Unicorn-5238.exe
2924	Unicorn-59914.exe
332	Unicorn-50163.exe
1768	Unicorn-16744.exe
2128	Unicorn-53692.exe
2136	Unicorn-29550.exe
2420	Unicorn-49416.exe
2020	Unicorn-14605.exe
2264	Unicorn-28996.exe
956	Unicorn-63806.exe
860	Unicorn-35026.exe
1760	Unicorn-15160.exe
2104	Unicorn-17874.exe
236	Unicorn-37740.exe
3048	Unicorn-5067.exe
2024	Unicorn-7760.exe
2080	Unicorn-23542.exe
2180	Unicorn-38316.exe
2852	Unicorn-26618.exe
2940	Unicorn-4574.exe
2184	Unicorn-55207.exe
2632	Unicorn-58736.exe
2904	Unicorn-45415.exe
536	Unicorn-56297.exe
2544	Unicorn-48684.exe
2292	Unicorn-22041.exe

Loads dropped DLL 64 IoCs

pid	Process
2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
2780	Unicorn-17652.exe
2780	Unicorn-17652.exe
2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
2696	Unicorn-29110.exe
2696	Unicorn-29110.exe
2780	Unicorn-17652.exe
2780	Unicorn-17652.exe
2600	Unicorn-34817.exe
2600	Unicorn-34817.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2612	Unicorn-21025.exe
2612	Unicorn-21025.exe
1812	Unicorn-46084.exe
2696	Unicorn-29110.exe
2696	Unicorn-29110.exe
1812	Unicorn-46084.exe
1224	Unicorn-27055.exe
1224	Unicorn-27055.exe
2600	Unicorn-34817.exe
2600	Unicorn-34817.exe
1664	WerFault.exe
1664	WerFault.exe
1664	WerFault.exe
1664	WerFault.exe
1664	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
2660	Unicorn-14885.exe
2660	Unicorn-14885.exe
2612	Unicorn-21025.exe
2612	Unicorn-21025.exe
1044	Unicorn-33360.exe
1044	Unicorn-33360.exe
1812	Unicorn-46084.exe
1812	Unicorn-46084.exe
348	Unicorn-3188.exe
348	Unicorn-3188.exe
2308	Unicorn-29276.exe
2308	Unicorn-29276.exe
1224	Unicorn-27055.exe
2932	Unicorn-21662.exe
1224	Unicorn-27055.exe
2932	Unicorn-21662.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
1660	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2736	2304	WerFault.exe	30
2928	2780	WerFault.exe	31
1664	2696	WerFault.exe	32
1836	2600	WerFault.exe	33
2440	2612	WerFault.exe	35
2448	1812	WerFault.exe	36
1660	1224	WerFault.exe	37
2700	2660	WerFault.exe	39
1980	1044	WerFault.exe	40
1828	348	WerFault.exe	41
2936	2308	WerFault.exe	42
2992	2932	WerFault.exe	43
1992	3036	WerFault.exe	46
2036	2064	WerFault.exe	47
2748	1328	WerFault.exe	48
2764	2016	WerFault.exe	50
2708	608	WerFault.exe	51
2572	1076	WerFault.exe	49
2964	1872	WerFault.exe	52
2624	1540	WerFault.exe	53
2084	1500	WerFault.exe	57
1824	1720	WerFault.exe	67
2272	2864	WerFault.exe	64
1276	1492	WerFault.exe	58
1544	2028	WerFault.exe	63
1508	2816	WerFault.exe	69
2812	1704	WerFault.exe	66
2528	332	WerFault.exe	83
2480	2884	WerFault.exe	76
1964	2020	WerFault.exe	88
1564	1228	WerFault.exe	59
3136	2468	WerFault.exe	61
3316	1768	WerFault.exe	84
3396	956	WerFault.exe	90
3460	2720	WerFault.exe	68
3524	2040	WerFault.exe	62
3532	2136	WerFault.exe	86
3540	2328	WerFault.exe	65
3548	1760	WerFault.exe	91
3556	236	WerFault.exe	94
3564	2336	WerFault.exe	60
3572	2128	WerFault.exe	85
3588	2024	WerFault.exe	99
3620	2924	WerFault.exe	82
3612	2420	WerFault.exe	87
3628	2080	WerFault.exe	100
3636	904	WerFault.exe	116
3648	2632	WerFault.exe	110
3664	3048	WerFault.exe	97
3656	296	WerFault.exe	79
3680	536	WerFault.exe	112
3672	288	WerFault.exe	73
3724	2904	WerFault.exe	111
3716	860	WerFault.exe	92
3700	2636	WerFault.exe	71
3740	1608	WerFault.exe	118
3748	2788	WerFault.exe	81
3692	2380	WerFault.exe	78
3100	2852	WerFault.exe	106
3084	2908	WerFault.exe	80
3160	2264	WerFault.exe	89
3132	1636	WerFault.exe	130
3164	2544	WerFault.exe	113
3172	2104	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45996.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29550.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47146.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53695.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49587.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44427.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29036.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4143.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57955.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1619.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48684.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15539.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11754.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45470.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27055.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55866.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40566.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52021.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12283.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51983.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17936.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26967.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60665.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28996.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24583.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46140.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52597.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39305.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62346.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
2780	Unicorn-17652.exe
2696	Unicorn-29110.exe
2600	Unicorn-34817.exe
2612	Unicorn-21025.exe
1812	Unicorn-46084.exe
1224	Unicorn-27055.exe
2660	Unicorn-14885.exe
1044	Unicorn-33360.exe
348	Unicorn-3188.exe
2308	Unicorn-29276.exe
2932	Unicorn-21662.exe
3036	Unicorn-24206.exe
2064	Unicorn-49457.exe
1328	Unicorn-48710.exe
1076	Unicorn-2202.exe
2016	Unicorn-56878.exe
608	Unicorn-36458.exe
1872	Unicorn-55487.exe
1540	Unicorn-9815.exe
1500	Unicorn-36697.exe
1492	Unicorn-50895.exe
1228	Unicorn-24999.exe
2336	Unicorn-59063.exe
2468	Unicorn-49504.exe
2040	Unicorn-12000.exe
2864	Unicorn-26967.exe
2028	Unicorn-45996.exe
2328	Unicorn-21491.exe
1704	Unicorn-2462.exe
1720	Unicorn-56302.exe
2816	Unicorn-10630.exe
2720	Unicorn-45441.exe
2636	Unicorn-28612.exe
288	Unicorn-49587.exe
2884	Unicorn-57200.exe
2380	Unicorn-2524.exe
296	Unicorn-65368.exe
2908	Unicorn-6629.exe
2788	Unicorn-5238.exe
2924	Unicorn-59914.exe
332	Unicorn-50163.exe
1768	Unicorn-16744.exe
2128	Unicorn-53692.exe
2136	Unicorn-29550.exe
2020	Unicorn-14605.exe
2264	Unicorn-28996.exe
2420	Unicorn-49416.exe
956	Unicorn-63806.exe
860	Unicorn-35026.exe
236	Unicorn-37740.exe
1760	Unicorn-15160.exe
2104	Unicorn-17874.exe
3048	Unicorn-5067.exe
2024	Unicorn-7760.exe
2080	Unicorn-23542.exe
2180	Unicorn-38316.exe
2852	Unicorn-26618.exe
2940	Unicorn-4574.exe
2184	Unicorn-55207.exe
2632	Unicorn-58736.exe
2904	Unicorn-45415.exe
536	Unicorn-56297.exe
2544	Unicorn-48684.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2780	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	31
PID 2304 wrote to memory of 2780	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	31
PID 2304 wrote to memory of 2780	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	31
PID 2304 wrote to memory of 2780	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	31
PID 2780 wrote to memory of 2696	2780	Unicorn-17652.exe	32
PID 2780 wrote to memory of 2696	2780	Unicorn-17652.exe	32
PID 2780 wrote to memory of 2696	2780	Unicorn-17652.exe	32
PID 2780 wrote to memory of 2696	2780	Unicorn-17652.exe	32
PID 2304 wrote to memory of 2600	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	33
PID 2304 wrote to memory of 2600	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	33
PID 2304 wrote to memory of 2600	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	33
PID 2304 wrote to memory of 2600	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	33
PID 2304 wrote to memory of 2736	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	34
PID 2304 wrote to memory of 2736	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	34
PID 2304 wrote to memory of 2736	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	34
PID 2304 wrote to memory of 2736	2304	418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe	34
PID 2696 wrote to memory of 2612	2696	Unicorn-29110.exe	35
PID 2696 wrote to memory of 2612	2696	Unicorn-29110.exe	35
PID 2696 wrote to memory of 2612	2696	Unicorn-29110.exe	35
PID 2696 wrote to memory of 2612	2696	Unicorn-29110.exe	35
PID 2780 wrote to memory of 1812	2780	Unicorn-17652.exe	36
PID 2780 wrote to memory of 1812	2780	Unicorn-17652.exe	36
PID 2780 wrote to memory of 1812	2780	Unicorn-17652.exe	36
PID 2780 wrote to memory of 1812	2780	Unicorn-17652.exe	36
PID 2600 wrote to memory of 1224	2600	Unicorn-34817.exe	37
PID 2600 wrote to memory of 1224	2600	Unicorn-34817.exe	37
PID 2600 wrote to memory of 1224	2600	Unicorn-34817.exe	37
PID 2600 wrote to memory of 1224	2600	Unicorn-34817.exe	37
PID 2780 wrote to memory of 2928	2780	Unicorn-17652.exe	38
PID 2780 wrote to memory of 2928	2780	Unicorn-17652.exe	38
PID 2780 wrote to memory of 2928	2780	Unicorn-17652.exe	38
PID 2780 wrote to memory of 2928	2780	Unicorn-17652.exe	38
PID 2612 wrote to memory of 2660	2612	Unicorn-21025.exe	39
PID 2612 wrote to memory of 2660	2612	Unicorn-21025.exe	39
PID 2612 wrote to memory of 2660	2612	Unicorn-21025.exe	39
PID 2612 wrote to memory of 2660	2612	Unicorn-21025.exe	39
PID 2696 wrote to memory of 348	2696	Unicorn-29110.exe	41
PID 2696 wrote to memory of 348	2696	Unicorn-29110.exe	41
PID 2696 wrote to memory of 348	2696	Unicorn-29110.exe	41
PID 2696 wrote to memory of 348	2696	Unicorn-29110.exe	41
PID 1812 wrote to memory of 1044	1812	Unicorn-46084.exe	40
PID 1812 wrote to memory of 1044	1812	Unicorn-46084.exe	40
PID 1812 wrote to memory of 1044	1812	Unicorn-46084.exe	40
PID 1812 wrote to memory of 1044	1812	Unicorn-46084.exe	40
PID 1224 wrote to memory of 2308	1224	Unicorn-27055.exe	42
PID 1224 wrote to memory of 2308	1224	Unicorn-27055.exe	42
PID 1224 wrote to memory of 2308	1224	Unicorn-27055.exe	42
PID 1224 wrote to memory of 2308	1224	Unicorn-27055.exe	42
PID 2600 wrote to memory of 2932	2600	Unicorn-34817.exe	43
PID 2600 wrote to memory of 2932	2600	Unicorn-34817.exe	43
PID 2600 wrote to memory of 2932	2600	Unicorn-34817.exe	43
PID 2600 wrote to memory of 2932	2600	Unicorn-34817.exe	43
PID 2696 wrote to memory of 1664	2696	Unicorn-29110.exe	44
PID 2696 wrote to memory of 1664	2696	Unicorn-29110.exe	44
PID 2696 wrote to memory of 1664	2696	Unicorn-29110.exe	44
PID 2696 wrote to memory of 1664	2696	Unicorn-29110.exe	44
PID 2600 wrote to memory of 1836	2600	Unicorn-34817.exe	45
PID 2600 wrote to memory of 1836	2600	Unicorn-34817.exe	45
PID 2600 wrote to memory of 1836	2600	Unicorn-34817.exe	45
PID 2600 wrote to memory of 1836	2600	Unicorn-34817.exe	45
PID 2660 wrote to memory of 3036	2660	Unicorn-14885.exe	46
PID 2660 wrote to memory of 3036	2660	Unicorn-14885.exe	46
PID 2660 wrote to memory of 3036	2660	Unicorn-14885.exe	46
PID 2660 wrote to memory of 3036	2660	Unicorn-14885.exe	46

C:\Users\Admin\AppData\Local\Temp\418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe
"C:\Users\Admin\AppData\Local\Temp\418de2f427ca7bfcac69c9efd65d976ca0256aa56e501b1d77aac135d9dfb282.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\Unicorn-17652.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-17652.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29110.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29110.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21025.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21025.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14885.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24206.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24206.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36697.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28612.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5067.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10770.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10770.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44427.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44427.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37256.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37256.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 212
        12⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 212
        11⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 232
        10⤵
        Program crash
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22316.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22316.exe
        9⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24583.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51983.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51983.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 232
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 232
        10⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 236
        9⤵
        Program crash
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7760.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7760.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6302.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6302.exe
        9⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1619.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1619.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 216
        11⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 232
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 232
        9⤵
        Program crash
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 236
        8⤵
        Program crash
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49587.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23542.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23542.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12332.exe
        9⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64717.exe
        10⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62346.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 212
        11⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 232
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 232
        9⤵
        Program crash
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55866.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33991.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33991.exe
        9⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8153.exe
        10⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 212
        10⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 212
        9⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 236
        8⤵
        Program crash
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 236
        7⤵
        Program crash
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24999.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24999.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65368.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65368.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56297.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56297.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15539.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10908.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10908.exe
        10⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59632.exe
        11⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 232
        11⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 212
        10⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 232
        9⤵
        Program crash
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39420.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39420.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10187.exe
        9⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19882.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 212
        9⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 236
        8⤵
        Program crash
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22041.exe
        7⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45724.exe
        8⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16410.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16410.exe
        9⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34023.exe
        10⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 212
        10⤵
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 212
        9⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 212
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 236
        7⤵
        Program crash
        
        PID:1564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 236
        6⤵
        Program crash
        
        PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49457.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50895.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50895.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57200.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38316.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38316.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40566.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40566.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60665.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 212
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 212
        10⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 232
        9⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 232
        8⤵
        Program crash
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26618.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26618.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12283.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4494.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4494.exe
        9⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42658.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 212
        10⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 212
        9⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 232
        8⤵
        Program crash
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 236
        7⤵
        Program crash
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2524.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2524.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59950.exe
        7⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11754.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11754.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 212
        9⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 232
        7⤵
        Program crash
        
        PID:3692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236
        6⤵
        Program crash
        
        PID:2036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3188.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3188.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:348
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56878.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56878.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12000.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12000.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59914.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31985.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31985.exe
        8⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47146.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13555.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13555.exe
        10⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 212
        10⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 232
        9⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 232
        8⤵
        Program crash
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28455.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28455.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36648.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36648.exe
        8⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21641.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 212
        9⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 232
        8⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 236
        7⤵
        Program crash
        
        PID:3524
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50163.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52021.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52021.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        8⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45470.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45470.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43094.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 232
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 212
        9⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 212
        8⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 212
        7⤵
        Program crash
        
        PID:2528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 236
        6⤵
        Program crash
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45996.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45996.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49416.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49416.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33931.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33931.exe
        7⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58587.exe
        8⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32990.exe
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 212
        9⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 212
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 232
        7⤵
        Program crash
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46738.exe
        6⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12283.exe
        7⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27769.exe
        8⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30219.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30219.exe
        9⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 232
        9⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 232
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 232
        7⤵
        Program crash
        
        PID:3132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 236
        6⤵
        Program crash
        
        PID:1544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 236
        5⤵
        Program crash
        
        PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-46084.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-46084.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33360.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33360.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48710.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59063.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6629.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21871.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21871.exe
        8⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19143.exe
        9⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39928.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39928.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17936.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17936.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 212
        10⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 232
        9⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57955.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57955.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53695.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53695.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29036.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29036.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 232
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 212
        9⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 236
        8⤵
        Program crash
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32731.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32731.exe
        7⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15844.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15844.exe
        8⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27515.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27515.exe
        9⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 212
        9⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 212
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 236
        7⤵
        Program crash
        
        PID:3564
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5238.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45415.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45415.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31191.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31191.exe
        8⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12605.exe
        9⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44417.exe
        10⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 232
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 212
        8⤵
        Program crash
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16286.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16286.exe
        7⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56217.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56217.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31693.exe
        9⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 212
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 212
        8⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 236
        7⤵
        Program crash
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 236
        6⤵
        Program crash
        
        PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49504.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49504.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16744.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16744.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4574.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4574.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19741.exe
        8⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63254.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63254.exe
        9⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7484.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7484.exe
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 212
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 232
        7⤵
        Program crash
        
        PID:3316
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55207.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55207.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4499.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48189.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48189.exe
        8⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        9⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 212
        9⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 232
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 212
        7⤵
        
        PID:3772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 236
        6⤵
        Program crash
        
        PID:3136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 236
        5⤵
        Program crash
        
        PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2202.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2202.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10630.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10630.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28996.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28996.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58736.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58736.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59286.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59286.exe
        8⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39305.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39305.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34324.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 212
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 212
        9⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 232
        8⤵
        Program crash
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27228.exe
        7⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55880.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55880.exe
        8⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57925.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57925.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 212
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 212
        8⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 236
        7⤵
        Program crash
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48684.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48684.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        7⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63664.exe
        8⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46140.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46140.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 212
        8⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 232
        7⤵
        Program crash
        
        PID:3164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 236
        6⤵
        Program crash
        
        PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15160.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15160.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        6⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2859.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53877.exe
        8⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 212
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 232
        7⤵
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 232
        6⤵
        Program crash
        
        PID:3548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 236
        5⤵
        Program crash
        
        PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\Unicorn-34817.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-34817.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-27055.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-27055.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29276.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29276.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36458.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36458.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26967.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26967.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63806.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63806.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        8⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46383.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46383.exe
        9⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6824.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6824.exe
        10⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19633.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19633.exe
        11⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 212
        11⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 212
        10⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 232
        9⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 232
        8⤵
        Program crash
        
        PID:3396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 232
        7⤵
        Program crash
        
        PID:2272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 232
        6⤵
        Program crash
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21491.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21491.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37740.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50843.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54738.exe
        8⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50997.exe
        9⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 212
        9⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 232
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 212
        7⤵
        Program crash
        
        PID:3556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4143.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64717.exe
        7⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3685.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3685.exe
        8⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 212
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 232
        7⤵
        
        PID:2240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 236
        6⤵
        Program crash
        
        PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 236
        5⤵
        Program crash
        
        PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55487.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55487.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45441.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45441.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53692.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53692.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52597.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10944.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10944.exe
        8⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2159.exe
        9⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 232
        9⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 212
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 212
        7⤵
        Program crash
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14065.exe
        6⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30047.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52647.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52647.exe
        8⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45818.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45818.exe
        9⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 212
        9⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 232
        8⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 232
        7⤵
        
        PID:4244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 236
        6⤵
        Program crash
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29550.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29550.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46183.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18641.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53493.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53493.exe
        8⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 232
        7⤵
        
        PID:4168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 232
        6⤵
        Program crash
        
        PID:3532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 236
        5⤵
        Program crash
        
        PID:2964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:1660
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-21662.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-21662.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9815.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9815.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2462.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35026.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35026.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37823.exe
        7⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12140.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12140.exe
        8⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10192.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29472.exe
        10⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 232
        10⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 212
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 232
        8⤵
        Program crash
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50220.exe
        7⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40919.exe
        8⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51023.exe
        9⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 212
        9⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 212
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 236
        7⤵
        Program crash
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19903.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19903.exe
        6⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        7⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44567.exe
        8⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62289.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62289.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 212
        9⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 232
        8⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 212
        7⤵
        
        PID:3188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 236
        6⤵
        Program crash
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17874.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27228.exe
        6⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16062.exe
        7⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2585.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2585.exe
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 212
        7⤵
        
        PID:5740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 232
        6⤵
        Program crash
        
        PID:3172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 236
        5⤵
        Program crash
        
        PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56302.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56302.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14605.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37823.exe
        6⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-607.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27292.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27292.exe
        8⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13166.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13166.exe
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 212
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 212
        7⤵
        
        PID:3216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 232
        6⤵
        Program crash
        
        PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62882.exe
        5⤵
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4548.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4548.exe
        6⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45470.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45470.exe
        7⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52414.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52414.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 212
        8⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 232
        7⤵
        
        PID:5352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 212
        6⤵
        Program crash
        
        PID:3740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 236
        5⤵
        Program crash
        
        PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 236
      4⤵
      Program crash
      PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 236
  2⤵
  - Program crash
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10908.exe

Filesize
184KB

MD5
2c853e271b20b88791c28384b056f411

SHA1
91a2fd5cac851f09a2ee1feb7647eac0a2896e2d

SHA256
6a90ad0f72f423ed1040bf09d453fd3ca9b8537e6f37528fb0a6c5c61ffc132b

SHA512
478bc0a2840d3cd50f060457d77a65db1b2b620335e4d78f8be55d66086a387f9a176874f277081ef6ef7fc509df63787601f56a27d91f2478dd4143139f2603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-21662.exe

Filesize
184KB

MD5
637b2ef9e42015a5904706adbe6483e1

SHA1
7ed806b0923af9768c19737552729aff3d8c74a1

SHA256
d3b2463c5c08732b7bcc2853256696b9bdbd58d6729436d97327259302da1f59

SHA512
ba44fe614f481950f0f90472219055312ccb0cee7e1f5f9f9f48d03bef7e34c9b2e55c1a0de6a08fa2828d871b37787fdca4b19158f523fee7485e4a0568f7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-26618.exe

Filesize
184KB

MD5
c6062ddd0fe400228d17cbe457d52c09

SHA1
c5662c2f33065ec96b91e2b2774503a4224edec9

SHA256
e9162f66a674036fd749402022c90c102da276ebe6a818f1e3346bdd05992903

SHA512
12365780ab8ad00f9ed83538df4252d087cd4f9474912389b83597a7705182e56e5002ca4a4842e2f2cbe1a10abeda49a517a8d8820811afa68a5e2893c41cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-34817.exe

Filesize
184KB

MD5
a7349d89078a04a788a6e902e5ea1f34

SHA1
ac349e5e97c9518f22418f5fb8f394d586b9bc25

SHA256
953c929b0e05dc128109ca3e8cd662d5f349fdbe856a3caa517ce7185712b891

SHA512
9d1bda3e88ce451ffad3f4be37febad32aa292ad92deadc94aa97dad34a2ba01cf698ca48aa278b36e14db84aa51f65e163a72ff76472d6642c15c1f1b29a687

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6302.exe

Filesize
184KB

MD5
90b7647f3560784edf70c3d00b1b219f

SHA1
48ab8774ecaef7a47547a15e732d8b15f14ef348

SHA256
d097cd7d6ea15b5f0ece729e39d862709335ebdb9e27ac0394714250e89565ed

SHA512
e0c7cc7fc70ece3aba294019b45cf8f9b929b904ca61f754732850c8566c25f3d9c3692696c6f6138d169de0c676da2dbb79cf2a165f0c688967861a48f131da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6629.exe

Filesize
184KB

MD5
94b2edba439df517f5fda625cb37a771

SHA1
5a432b52744c246a84972dedeb1574ba45f13dd7

SHA256
efef5d60b000e5c90c5c3f610f31426b3c383596d20bb90f72d207c82080c295

SHA512
a8e50b342c871e6d22e14bcea2df96d3a687aa624b21efa5f646b19560c3f9433e92ad488cdf6aefa8776f24a68569e5fd5924b48bc417368b829f4a7c82c380

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-14885.exe

Filesize
184KB

MD5
c52ae64334cc7585a46baa8d6e448bbf

SHA1
e267d5c53079dedf9bd209d0002730d4a19f9582

SHA256
c892a8871cf262f04f933cdc19c2d3de7fc09245abb656168b524e3e80799f23

SHA512
8b1a3e83002db9a42a6d52baab1648f1f9a2d44625e53e05b253637f3d534dad7b269f96b265485b219a93398fac1541e1d959870706cfd0eadf87d395f3338f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-17652.exe

Filesize
184KB

MD5
21df05c65a1939e8e3d21c7b4882562d

SHA1
21133faac8615304e5807e2d68604af262fa8e7a

SHA256
3fce4436651cd5c4563823b252a4024afac9435b6e47ecd7daf11c64c1f3c360

SHA512
f8073b87426db9d03b1ba13553ad0170726f47128ce194f29ab720e9f5ffbe94680ceb1f56b54c54e04083083c7d707c75e104e99c59f94132f6fdcac1246f16

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21025.exe

Filesize
184KB

MD5
3fd513f5098469741bc192d1fadbf7b8

SHA1
c45d4f96f072ce65624822e417a83a4ae74189ac

SHA256
87396cf295c385284de38636e0a86ad1151cd3b2b1c8d84e742ee6e76bd5c773

SHA512
05159b6cb59a88496b55e122997aae17478bb23c6c799fd21f3b76bba73048c7f1e8aff2969082b694b10e530e18b45d14cb7925c006206223dc0cd211a021af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-24206.exe

Filesize
184KB

MD5
e3208e4ceef2b9f2910bf22f162e6464

SHA1
ec902cd25017dd3941e734a2175f37ef824db083

SHA256
2e6877559c82c2d6ca341177c227887b9e28e7ecb99c8a9a0494bdf020e84bd1

SHA512
90cc07dfb364226bc73019b438067248aa815c0de928ce14f1a483dea7dbe1b7a016a10b33f6e854fa9a5e813ff87790e3a7f952c362ee62a4db90f9a4fdb9b6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-27055.exe

Filesize
184KB

MD5
e742c4a6c6396993df21c149220bec86

SHA1
403b6f4bf60c078731d8728c5fbff50125df40fa

SHA256
23fc30c1764fe966f53a8f2ccd77858669592ae860abe965ce1a53c6f4d71ff9

SHA512
4fd06f4e69bff9f875f827751cb11a0a786963776e364ffec1398417e215508e283307056aded290c724f5c5393fcd6c776b4a93166bc2991d97cbf06019d3fa

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29110.exe

Filesize
184KB

MD5
f9b82fde64cf9efdac672ae6520db643

SHA1
7ef9e57861f80d37f0815ceef654f90533e97cb8

SHA256
7c8c55247728aa92bc6f8026328f3198c989a1b3c09b2a016bacbe1156877c9b

SHA512
a0b19ea5978bc2aebd2f7b118c215951ca87fc91f54262cf8be7d5e2ece09cfdfddd181c483b864838bf1f02a46fa4395f5d15882971b76b4c2d66af466d2fb9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29276.exe

Filesize
184KB

MD5
48fea5d3dc776742d8e4f22e3cd60ec9

SHA1
2ed63bfd222912b2208247501b5e533897183406

SHA256
a4438c7934eb993d7aa8f8ebd3c12a7810fda55cc1f78b8b23f83036b7822761

SHA512
fe06f4a654ebe532c3ac39fd6179ecb3df2708826d79ef59fa764cb77552d6ec418416641a6b9f38cc711fc49278b6905b6dbd8408cbf1429bbdbc548d227179

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-3188.exe

Filesize
184KB

MD5
7d7c220cfdfb871c69b05629885d2917

SHA1
178b501fe35d974a08c29be07d2ef50ece30f093

SHA256
9b2fe4cdbf03a38b09e87d4644b597e286039dff01ff1e7cc69c771b87d1bed6

SHA512
842447052341390049494df6d471a845ad04162726c672f032388b006fa9aae855bb73f476ee7bc3f49cb6929abd0ba49009b7f782c7a3aef1bca97dbb0dfb27

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-33360.exe

Filesize
184KB

MD5
98e94d0d5efe5bad5831d7f4395c2daa

SHA1
d486f3d9a8964a72eda1e8270cd9b2b3d37d2185

SHA256
7eda98ed84f1896a1b007513a5b3897ff574b92df397aee92c3e14fb3f1bae61

SHA512
6d8dea77da97c5be6bf6580538ea4ed127993211c48607bbeae17abc33d00d9dd6c7401c4781179bd4c1e917301da26be6285ff46beceafde66a0bae57dc076e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-46084.exe

Filesize
184KB

MD5
efd578605c473343c5f9500a0625e09a

SHA1
f13dc1726131e751078dc531775c0dea1d351edf

SHA256
b15ed51707c3bf614ecd63a4689e440a86d5c762281fba9678338d7a3fc6f102

SHA512
17b398b3e17bed356cbd8d9e590415d55273aa803a8a7ca27b1b5e0c8b0066005a6db72d9e1fa85fb2f8a0ffeae95a18a76d7dde528684077b660056a852e3e0

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-48710.exe

Filesize
184KB

MD5
b57e1fa9d4cccb87a4cd0be52ab8cbb1

SHA1
e01d1432b393c8aba42ef86969de30fc11747d0d

SHA256
8be01ee898e6abb1d5fbb04661ea9f2d0fce4b08cd3431cd936c0eb7dd61e40a

SHA512
0c1eeee05e876718515829f0cf0c5b02d82f0afe463ab2c67a578e64ea91aa150f9076ed2325447fc9881236c340b1129e2ed68b42f5e6cc1f73efe8515f8cad

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-49457.exe

Filesize
184KB

MD5
4273286bccdf443284fba643e5696a3b

SHA1
8fe0f2c022c868a9006ae579ef2734689155eda9

SHA256
29a315109023f38d9b6b6b81977fdc58a8e9e37de9d8b88c9f16f76ed1e8d765

SHA512
190aad3e5fbbb3ecdfa7fcc9af942469189a43886371928d45facb8cc49266c7fbf9b52bd600f7d50283b3f47b73cd943f01859b3dcdc115e52bcdaf1555f5cf

Download Submit