ecdfdad59aa787f644f81909bde4c83ae02ae538ef09483827657304eb76cd79

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
Size

192KB
MD5

a23a6c3786f2d025cc83767a4ce64c63
SHA1

7ec03881bbb8066936c4006cfe71aaa14596d72a
SHA256

ecdfdad59aa787f644f81909bde4c83ae02ae538ef09483827657304eb76cd79
SHA512

fa216b3c43cb69fe2f62194a23cc57ac96bfb154cc5234ca94058a290b5e54dc7fc907c42fc7f6af6a2e5ca0b1631e865ca11a6a448bce8c5927c946d3721322
SSDEEP

3072:p0tJoC6SpBAQr9b8dTy5X8WhNKl6xZ6V6/qxLeqxh6lPvpFl:p0jo+uQr2dW5X8QG7F6lPvpF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2616	Unicorn-9941.exe
2808	Unicorn-9653.exe
2984	Unicorn-29519.exe
2444	Unicorn-45144.exe
2660	Unicorn-20448.exe
2680	Unicorn-62035.exe
2080	Unicorn-12409.exe
2024	Unicorn-20578.exe
1376	Unicorn-712.exe
1656	Unicorn-53997.exe
2564	Unicorn-61610.exe
2088	Unicorn-64791.exe
1092	Unicorn-7422.exe
2252	Unicorn-7422.exe
1424	Unicorn-15590.exe
1604	Unicorn-61262.exe
2076	Unicorn-42185.exe
1808	Unicorn-27686.exe
2084	Unicorn-47552.exe
2132	Unicorn-57811.exe
1088	Unicorn-8932.exe
1636	Unicorn-12694.exe
976	Unicorn-54049.exe
888	Unicorn-16032.exe
876	Unicorn-57619.exe
2740	Unicorn-41605.exe
2500	Unicorn-62772.exe
304	Unicorn-64210.exe
2328	Unicorn-3779.exe
2520	Unicorn-20630.exe
372	Unicorn-17.exe
1112	Unicorn-41604.exe
980	Unicorn-25076.exe
1500	Unicorn-7993.exe
1260	Unicorn-61278.exe
1296	Unicorn-40666.exe
584	Unicorn-28968.exe
2184	Unicorn-28968.exe
2620	Unicorn-44750.exe
2208	Unicorn-24884.exe
2548	Unicorn-59970.exe
1744	Unicorn-57038.exe
1588	Unicorn-60375.exe
2288	Unicorn-48123.exe
2776	Unicorn-19343.exe
2736	Unicorn-31595.exe
1908	Unicorn-36233.exe
608	Unicorn-32149.exe
300	Unicorn-35679.exe
764	Unicorn-35679.exe
2000	Unicorn-3369.exe
1600	Unicorn-27319.exe
1256	Unicorn-48486.exe
2640	Unicorn-57443.exe
2244	Unicorn-41661.exe
2240	Unicorn-21241.exe
1896	Unicorn-37023.exe
1980	Unicorn-45191.exe
1580	Unicorn-20495.exe
2224	Unicorn-12881.exe
1148	Unicorn-2643.exe
3060	Unicorn-40914.exe
3076	Unicorn-40914.exe
3104	Unicorn-61465.exe

Loads dropped DLL 64 IoCs

pid	Process
2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
2616	Unicorn-9941.exe
2616	Unicorn-9941.exe
2808	Unicorn-9653.exe
2808	Unicorn-9653.exe
2984	Unicorn-29519.exe
2616	Unicorn-9941.exe
2984	Unicorn-29519.exe
2616	Unicorn-9941.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2660	Unicorn-20448.exe
2660	Unicorn-20448.exe
2984	Unicorn-29519.exe
2984	Unicorn-29519.exe
2444	Unicorn-45144.exe
2444	Unicorn-45144.exe
2808	Unicorn-9653.exe
2808	Unicorn-9653.exe
2680	Unicorn-62035.exe
2680	Unicorn-62035.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1376	Unicorn-712.exe
1376	Unicorn-712.exe
2024	Unicorn-20578.exe
1656	Unicorn-53997.exe
1656	Unicorn-53997.exe
2024	Unicorn-20578.exe
2444	Unicorn-45144.exe
2564	Unicorn-61610.exe
2680	Unicorn-62035.exe
2564	Unicorn-61610.exe
2680	Unicorn-62035.exe
2444	Unicorn-45144.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2920	2140	WerFault.exe	28
2900	2616	WerFault.exe	29
1476	2808	WerFault.exe	30
1748	2984	WerFault.exe	31
2180	2660	WerFault.exe	34
956	2444	WerFault.exe	33
1452	2680	WerFault.exe	35
2892	1376	WerFault.exe	40
2876	1656	WerFault.exe	38
2896	2024	WerFault.exe	39
3044	2080	WerFault.exe	37
2928	2564	WerFault.exe	41
664	2088	WerFault.exe	44
2332	1092	WerFault.exe	46
936	1424	WerFault.exe	47
920	1604	WerFault.exe	48
264	2076	WerFault.exe	49
2524	2252	WerFault.exe	45
2056	2084	WerFault.exe	54
1692	1808	WerFault.exe	53
2460	2132	WerFault.exe	55
1940	1088	WerFault.exe	56
2052	1636	WerFault.exe	57
1512	976	WerFault.exe	58
1704	2740	WerFault.exe	61
1548	876	WerFault.exe	60
2748	888	WerFault.exe	59
2452	2500	WerFault.exe	62
4080	1112	WerFault.exe	72
3100	2184	WerFault.exe	77
2792	2620	WerFault.exe	79
3216	2328	WerFault.exe	69
3292	1296	WerFault.exe	76
3356	608	WerFault.exe	94
3396	372	WerFault.exe	71
3524	2548	WerFault.exe	82
3620	584	WerFault.exe	78
3792	1260	WerFault.exe	75
3916	2208	WerFault.exe	80
3980	1908	WerFault.exe	93
4036	2288	WerFault.exe	90
3336	300	WerFault.exe	96
3756	2000	WerFault.exe	97
3940	304	WerFault.exe	66
3156	2776	WerFault.exe	91
4112	1600	WerFault.exe	98
4120	1588	WerFault.exe	89
4172	1500	WerFault.exe	74
4220	1896	WerFault.exe	103
4228	2244	WerFault.exe	101
4284	2520	WerFault.exe	70
4336	1256	WerFault.exe	99
4496	1744	WerFault.exe	88
4520	980	WerFault.exe	73
4764	2240	WerFault.exe	102
5048	2736	WerFault.exe	92
4128	1148	WerFault.exe	109
4452	764	WerFault.exe	95
4568	3904	WerFault.exe	146
4696	2224	WerFault.exe	106
4692	3888	WerFault.exe	145
4728	3872	WerFault.exe	144
4880	3864	WerFault.exe	143
4904	3572	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62975.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9751.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52270.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57619.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49981.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13779.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17479.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15454.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11780.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12881.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25081.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23270.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14926.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10090.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31305.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17733.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44745.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
2616	Unicorn-9941.exe
2808	Unicorn-9653.exe
2984	Unicorn-29519.exe
2444	Unicorn-45144.exe
2660	Unicorn-20448.exe
2680	Unicorn-62035.exe
1376	Unicorn-712.exe
2024	Unicorn-20578.exe
2080	Unicorn-12409.exe
2564	Unicorn-61610.exe
1656	Unicorn-53997.exe
2088	Unicorn-64791.exe
1092	Unicorn-7422.exe
2252	Unicorn-7422.exe
1604	Unicorn-61262.exe
1424	Unicorn-15590.exe
2076	Unicorn-42185.exe
1808	Unicorn-27686.exe
2084	Unicorn-47552.exe
2132	Unicorn-57811.exe
1088	Unicorn-8932.exe
1636	Unicorn-12694.exe
976	Unicorn-54049.exe
888	Unicorn-16032.exe
876	Unicorn-57619.exe
2500	Unicorn-62772.exe
304	Unicorn-64210.exe
2328	Unicorn-3779.exe
2520	Unicorn-20630.exe
372	Unicorn-17.exe
1112	Unicorn-41604.exe
980	Unicorn-25076.exe
1500	Unicorn-7993.exe
1260	Unicorn-61278.exe
1296	Unicorn-40666.exe
584	Unicorn-28968.exe
2184	Unicorn-28968.exe
2208	Unicorn-24884.exe
2620	Unicorn-44750.exe
2548	Unicorn-59970.exe
1744	Unicorn-57038.exe
1588	Unicorn-60375.exe
2288	Unicorn-48123.exe
2776	Unicorn-19343.exe
2736	Unicorn-31595.exe
1908	Unicorn-36233.exe
608	Unicorn-32149.exe
300	Unicorn-35679.exe
764	Unicorn-35679.exe
2000	Unicorn-3369.exe
1600	Unicorn-27319.exe
1256	Unicorn-48486.exe
2640	Unicorn-57443.exe
2244	Unicorn-41661.exe
2240	Unicorn-21241.exe
1896	Unicorn-37023.exe
1980	Unicorn-45191.exe
1580	Unicorn-20495.exe
2224	Unicorn-12881.exe
1148	Unicorn-2643.exe
3060	Unicorn-40914.exe
3076	Unicorn-40914.exe
3104	Unicorn-61465.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2616	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2616	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2616	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2616	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2808	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2808	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2808	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2808	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2984	2616	Unicorn-9941.exe	31
PID 2616 wrote to memory of 2984	2616	Unicorn-9941.exe	31
PID 2616 wrote to memory of 2984	2616	Unicorn-9941.exe	31
PID 2616 wrote to memory of 2984	2616	Unicorn-9941.exe	31
PID 2140 wrote to memory of 2920	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2920	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2920	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2920	2140	a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe	32
PID 2808 wrote to memory of 2444	2808	Unicorn-9653.exe	33
PID 2808 wrote to memory of 2444	2808	Unicorn-9653.exe	33
PID 2808 wrote to memory of 2444	2808	Unicorn-9653.exe	33
PID 2808 wrote to memory of 2444	2808	Unicorn-9653.exe	33
PID 2984 wrote to memory of 2660	2984	Unicorn-29519.exe	34
PID 2984 wrote to memory of 2660	2984	Unicorn-29519.exe	34
PID 2984 wrote to memory of 2660	2984	Unicorn-29519.exe	34
PID 2984 wrote to memory of 2660	2984	Unicorn-29519.exe	34
PID 2616 wrote to memory of 2680	2616	Unicorn-9941.exe	35
PID 2616 wrote to memory of 2680	2616	Unicorn-9941.exe	35
PID 2616 wrote to memory of 2680	2616	Unicorn-9941.exe	35
PID 2616 wrote to memory of 2680	2616	Unicorn-9941.exe	35
PID 2616 wrote to memory of 2900	2616	Unicorn-9941.exe	36
PID 2616 wrote to memory of 2900	2616	Unicorn-9941.exe	36
PID 2616 wrote to memory of 2900	2616	Unicorn-9941.exe	36
PID 2616 wrote to memory of 2900	2616	Unicorn-9941.exe	36
PID 2660 wrote to memory of 2080	2660	Unicorn-20448.exe	37
PID 2660 wrote to memory of 2080	2660	Unicorn-20448.exe	37
PID 2660 wrote to memory of 2080	2660	Unicorn-20448.exe	37
PID 2660 wrote to memory of 2080	2660	Unicorn-20448.exe	37
PID 2444 wrote to memory of 2024	2444	Unicorn-45144.exe	39
PID 2444 wrote to memory of 2024	2444	Unicorn-45144.exe	39
PID 2444 wrote to memory of 2024	2444	Unicorn-45144.exe	39
PID 2444 wrote to memory of 2024	2444	Unicorn-45144.exe	39
PID 2808 wrote to memory of 1376	2808	Unicorn-9653.exe	40
PID 2808 wrote to memory of 1376	2808	Unicorn-9653.exe	40
PID 2808 wrote to memory of 1376	2808	Unicorn-9653.exe	40
PID 2808 wrote to memory of 1376	2808	Unicorn-9653.exe	40
PID 2984 wrote to memory of 1656	2984	Unicorn-29519.exe	38
PID 2984 wrote to memory of 1656	2984	Unicorn-29519.exe	38
PID 2984 wrote to memory of 1656	2984	Unicorn-29519.exe	38
PID 2984 wrote to memory of 1656	2984	Unicorn-29519.exe	38
PID 2680 wrote to memory of 2564	2680	Unicorn-62035.exe	41
PID 2680 wrote to memory of 2564	2680	Unicorn-62035.exe	41
PID 2680 wrote to memory of 2564	2680	Unicorn-62035.exe	41
PID 2680 wrote to memory of 2564	2680	Unicorn-62035.exe	41
PID 2808 wrote to memory of 1476	2808	Unicorn-9653.exe	42
PID 2808 wrote to memory of 1476	2808	Unicorn-9653.exe	42
PID 2808 wrote to memory of 1476	2808	Unicorn-9653.exe	42
PID 2808 wrote to memory of 1476	2808	Unicorn-9653.exe	42
PID 2984 wrote to memory of 1748	2984	Unicorn-29519.exe	43
PID 2984 wrote to memory of 1748	2984	Unicorn-29519.exe	43
PID 2984 wrote to memory of 1748	2984	Unicorn-29519.exe	43
PID 2984 wrote to memory of 1748	2984	Unicorn-29519.exe	43
PID 1376 wrote to memory of 2088	1376	Unicorn-712.exe	44
PID 1376 wrote to memory of 2088	1376	Unicorn-712.exe	44
PID 1376 wrote to memory of 2088	1376	Unicorn-712.exe	44
PID 1376 wrote to memory of 2088	1376	Unicorn-712.exe	44

C:\Users\Admin\AppData\Local\Temp\a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a23a6c3786f2d025cc83767a4ce64c63_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\Unicorn-9941.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-9941.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29519.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29519.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20448.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20448.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12409.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12409.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57811.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57811.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20630.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20630.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35679.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44745.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44745.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47044.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47044.exe
        10⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13458.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13458.exe
        11⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27551.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27551.exe
        12⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11780.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11780.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8772 -s 376
        13⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 372
        12⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 372
        11⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 372
        10⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 376
        9⤵
        Program crash
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20795.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20795.exe
        8⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8460.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8460.exe
        9⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17302.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17302.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58952.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58952.exe
        11⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 372
        11⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 372
        10⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 372
        9⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 372
        8⤵
        Program crash
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3369.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65357.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65357.exe
        8⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5819.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5819.exe
        9⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12882.exe
        10⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3010.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3010.exe
        11⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 372
        11⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 372
        10⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 372
        9⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 364
        8⤵
        Program crash
        
        PID:3756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 372
        7⤵
        Program crash
        
        PID:2460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 372
        6⤵
        Program crash
        
        PID:3044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 364
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53997.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53997.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7422.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7422.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8932.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8932.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19343.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28601.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28601.exe
        9⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28077.exe
        10⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3235.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17733.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17733.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:8328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 372
        12⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 372
        11⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 372
        10⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 372
        9⤵
        Program crash
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4459.exe
        8⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51683.exe
        9⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41476.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41476.exe
        10⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60742.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60742.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 372
        11⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 372
        10⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 372
        9⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 372
        8⤵
        Program crash
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32149.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32149.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17309.exe
        8⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59851.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59851.exe
        9⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21632.exe
        10⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65402.exe
        11⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 232
        11⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 212
        10⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 232
        9⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 232
        8⤵
        Program crash
        
        PID:3356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 372
        7⤵
        Program crash
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41604.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41604.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31595.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31595.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44781.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44781.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59846.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59846.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19549.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19549.exe
        10⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42040.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42040.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7952 -s 372
        11⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 372
        10⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 372
        9⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 372
        8⤵
        Program crash
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 372
        7⤵
        Program crash
        
        PID:4080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 376
        6⤵
        Program crash
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12694.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12694.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7993.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27319.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27319.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58341.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58341.exe
        8⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44221.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44221.exe
        9⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53396.exe
        10⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5594.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5594.exe
        11⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 372
        11⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 372
        10⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 372
        9⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 372
        8⤵
        Program crash
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5611.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5611.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36053.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36053.exe
        8⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61180.exe
        9⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7125.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7125.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 376
        10⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 372
        9⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 372
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 372
        7⤵
        Program crash
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48486.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48486.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25669.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25669.exe
        7⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25145.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25145.exe
        8⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42789.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42789.exe
        9⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31630.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31630.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 376
        10⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 372
        9⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 372
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 372
        7⤵
        Program crash
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 376
        6⤵
        Program crash
        
        PID:2052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 364
        5⤵
        Program crash
        
        PID:2876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 364
      4⤵
      Loads dropped DLL
      Program crash
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-62035.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-62035.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61610.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61610.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15590.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54049.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54049.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61278.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61278.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40914.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2119.exe
        9⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52270.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26975.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26975.exe
        11⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 372
        11⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 372
        10⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 372
        9⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 376
        8⤵
        Program crash
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41661.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29753.exe
        8⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53733.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53733.exe
        9⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41912.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41912.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64110.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 372
        11⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 372
        10⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 372
        9⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 372
        8⤵
        Program crash
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 372
        7⤵
        Program crash
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28968.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28968.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37023.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40661.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41481.exe
        9⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42981.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42981.exe
        10⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2164.exe
        11⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 380
        11⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 364
        10⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 372
        9⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 372
        8⤵
        Program crash
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55004.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55004.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46831.exe
        8⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18259.exe
        9⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25081.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25081.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20349.exe
        11⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 372
        11⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 376
        10⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 372
        9⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 376
        8⤵
        Program crash
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 372
        7⤵
        Program crash
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 372
        6⤵
        Program crash
        
        PID:936
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57619.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57619.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57038.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57038.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17501.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17501.exe
        7⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24761.exe
        8⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31305.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31305.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36809.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36809.exe
        10⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 372
        10⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 372
        9⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 364
        8⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 372
        7⤵
        Program crash
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 372
        6⤵
        Program crash
        
        PID:1548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 372
        5⤵
        Program crash
        
        PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42185.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-42185.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41605.exe
        5⤵
        Executes dropped EXE
        
        PID:2740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 364
        6⤵
        Program crash
        
        PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28968.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28968.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45191.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45191.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21585.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21585.exe
        7⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64127.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64127.exe
        8⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6883.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6883.exe
        9⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38485.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38485.exe
        10⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16050.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16050.exe
        11⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 372
        10⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 372
        9⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 372
        8⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56322.exe
        7⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22016.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22016.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8417.exe
        9⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 372
        9⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 372
        8⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 372
        7⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26223.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26223.exe
        6⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17688.exe
        7⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47418.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47418.exe
        8⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47779.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47779.exe
        9⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 372
        9⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 372
        8⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 372
        7⤵
        
        PID:5900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 372
        6⤵
        Program crash
        
        PID:3620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 372
        5⤵
        Program crash
        
        PID:264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\Unicorn-9653.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-9653.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-45144.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-45144.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20578.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20578.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7422.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7422.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25076.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35679.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42005.exe
        8⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62975.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62975.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65212.exe
        10⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17681.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17681.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41314.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41314.exe
        12⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8196 -s 372
        12⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 372
        11⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 372
        10⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 372
        9⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24033.exe
        8⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14366.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14366.exe
        9⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1152.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1152.exe
        10⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60213.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60213.exe
        11⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 368
        11⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 372
        10⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 372
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 372
        8⤵
        Program crash
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46644.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46644.exe
        7⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24761.exe
        8⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52109.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52109.exe
        9⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23270.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 372
        10⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 372
        9⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 372
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 372
        7⤵
        Program crash
        
        PID:4520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 372
        6⤵
        Program crash
        
        PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62772.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62772.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44750.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44750.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57443.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57443.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        8⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58891.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38871.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38871.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37909.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37909.exe
        11⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9751.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7984 -s 372
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 372
        11⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 372
        10⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 372
        9⤵
        Program crash
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18605.exe
        8⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29224.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29224.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44406.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44406.exe
        10⤵
        
        PID:8340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35718.exe
        11⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 372
        10⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 376
        9⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 372
        8⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9695.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9695.exe
        7⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52067.exe
        8⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63375.exe
        9⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37717.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55444.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55444.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 372
        11⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 372
        10⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 372
        9⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 364
        8⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 376
        7⤵
        Program crash
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21241.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21241.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36612.exe
        7⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27558.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27558.exe
        8⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13544.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17479.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17479.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:9376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 376
        10⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 372
        9⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 372
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 372
        7⤵
        Program crash
        
        PID:4764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 372
        6⤵
        Program crash
        
        PID:2452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 364
        5⤵
        Program crash
        
        PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61262.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61262.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16032.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16032.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40666.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40666.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20495.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20495.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19203.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19203.exe
        9⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37584.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37584.exe
        10⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52574.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52574.exe
        11⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 372
        11⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 376
        10⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 372
        9⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19757.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19757.exe
        8⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25332.exe
        9⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52766.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52766.exe
        10⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 372
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 372
        9⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 372
        8⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13779.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13779.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14926.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14926.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55207.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55207.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62029.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62029.exe
        10⤵
        
        PID:7732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8651.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8651.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 376
        11⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 372
        10⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 372
        9⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 372
        8⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 372
        7⤵
        Program crash
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12881.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12881.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49981.exe
        7⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50915.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14174.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14174.exe
        9⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26425.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26425.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21940.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21940.exe
        11⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 372
        11⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 376
        10⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 376
        9⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 372
        8⤵
        Program crash
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63722.exe
        7⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10090.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10090.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41801.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41801.exe
        9⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15527.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15527.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:10536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 372
        10⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 372
        9⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 376
        8⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 376
        7⤵
        Program crash
        
        PID:4696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 372
        6⤵
        Program crash
        
        PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24884.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40914.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22540.exe
        7⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44787.exe
        8⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15454.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15454.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:8916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 372
        9⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 372
        8⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 372
        7⤵
        
        PID:6108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 372
        6⤵
        Program crash
        
        PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 372
        5⤵
        Program crash
        
        PID:920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 372
      4⤵
      Loads dropped DLL
      Program crash
      PID:956
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-712.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-712.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64791.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64791.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47552.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59970.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59970.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2643.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2098.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2098.exe
        8⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43339.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43339.exe
        9⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39196.exe
        10⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41843.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 372
        11⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 372
        10⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 372
        9⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 364
        8⤵
        Program crash
        
        PID:4128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 372
        7⤵
        Program crash
        
        PID:3524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 372
        6⤵
        Program crash
        
        PID:2056
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3779.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3779.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60375.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4096.exe
        7⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56665.exe
        8⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20340.exe
        9⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2164.exe
        10⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 376
        10⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 372
        9⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 372
        8⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 376
        7⤵
        Program crash
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20987.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20987.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64319.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64319.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8995.exe
        8⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19902.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19902.exe
        9⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21629.exe
        10⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 372
        9⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 372
        8⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 372
        7⤵
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 364
        6⤵
        Program crash
        
        PID:3216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 372
        5⤵
        Program crash
        
        PID:664
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27686.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27686.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64210.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64210.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48123.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61465.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61465.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18456.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18456.exe
        8⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12114.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12114.exe
        9⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45942.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45942.exe
        10⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 372
        10⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 372
        9⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 372
        8⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 376
        7⤵
        Program crash
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8735.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8735.exe
        6⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65025.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65025.exe
        7⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        8⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8220.exe
        9⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 376
        9⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 368
        8⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 372
        7⤵
        
        PID:5424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 372
        6⤵
        Program crash
        
        PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36233.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36233.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3904.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24211.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24211.exe
        7⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1403.exe
        8⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49258.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49258.exe
        9⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 372
        9⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 372
        8⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 376
        7⤵
        
        PID:5640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 372
        6⤵
        Program crash
        
        PID:3980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 372
        5⤵
        Program crash
        
        PID:1692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 372
      4⤵
      Program crash
      PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 372
  2⤵
  - Program crash
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10090.exe

Filesize
192KB

MD5
b451e414c0ff24b2013bb4566b554668

SHA1
de8260c0125f793064dfe8ca160c17e72254ed96

SHA256
7e992eecba256f24734c91e8233ea271a70da2d79bbf0afbf12adf91f5167003

SHA512
3398d53544f099e8b76ce6874129da97e125f33f103a6f551b20e83fb627d8a91003c50733b93b149afc490637bfc20cb9266d0995d6cd880a47ba29099beec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-20578.exe

Filesize
192KB

MD5
a27322d29d9bb9604ff72985528e2528

SHA1
eed5d295801b93a61418d18c766be48e26e2e946

SHA256
75edadafdd8e58ba7577267e6dea6f7ccb216b1a1cf3f6fc1a6ed8d9694b459f

SHA512
0c2d44e21985b0f5b76ee333ad09b449ddd9af2bf0ea2ef8876bcb30ff6aaff0fdd9e05ace1ebee103da760772a862e9800d4363eea59a1f07b45b9c946bb8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-2119.exe

Filesize
192KB

MD5
18ba6e88dafed26a3f80cc5acc8a5f4d

SHA1
2e37f49594977a522dc0628fb4c277bff4e1a47f

SHA256
98fdc0667b27ad11527339e5fa2b691dd671d23d73addb4565575eaf633e6ffa

SHA512
b7322fe66d50504be118025fe3923ff3127351511b502b76d8a7a567c9cd10f66920720b19525a07a7d6e277820bfe094f98c2f41ee6b01ae4eb57e49f801cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-29519.exe

Filesize
192KB

MD5
6384629ecc04eb0dfc5b7964dcbdcfce

SHA1
8ac2825d604e95aad3a230a3354e22f37ba11d30

SHA256
93e4ebfb8828b757a610049e61beef8cf4e367ef810a97852bad87fa1bf37f84

SHA512
3c2df323fe596ebd484b6d75df5e3e2780bfab3e0903755234f344fc889d428b65ed35bff4b1dc4e4c1a59d719143b528e2fe519935d1f8cc22bd819f923ae07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-45144.exe

Filesize
192KB

MD5
5709d72258a45ee06868a12fe20fda1f

SHA1
e68b1693f2d5270e92459b120fcf3d9d6dac7ca8

SHA256
76c3e6890602f76ce0307df35065b2a6195e313fdae0dc9eb30df66bf3b000bf

SHA512
e05b7def071d0564c712175c23988822e5e4af343983ba539b7cd1caa88fa4559a545075ca9ce15deb56997ed180acdee80915a179a3738b00d819fea3145dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-59846.exe

Filesize
192KB

MD5
fa1507796f4a2ff1ae7b0d1295903b1d

SHA1
1d6d232683226927ae14e9b8de8200fce277b749

SHA256
bffa5d205a4a62033a7cf022cdc7e376f24a348a4fc6f681b2184962f71963f2

SHA512
a644356c5a1b02fbfdbd9a9c494f7de72cf4e8dbbdfb79dd056b185d0cf91af42890175f6560953baa14f02bfc247195b4603bfff2059a949ae43e53b53f1745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-61610.exe

Filesize
192KB

MD5
ae7e993fa9cea50619466a5033a0a43f

SHA1
525e04b964712161d41ae2eb04c10b33d12b2384

SHA256
f4c761e2157636ab6a225ba6b3ca5dc7ab131f80d6065253ba405d3c08a0ab66

SHA512
480def7e9f64e9e686084f263d60991751e0e7ddd64fd569d0018671c1cb267f9d5d57483a2df743e6072f83c17c63da340fdc677df3c436d3f29aa50b1f1066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-64791.exe

Filesize
192KB

MD5
782abfe3c3a17e942285872c296fa78c

SHA1
188cd10fa69c61407459db76f4b179bb4fe8a1f1

SHA256
f37d06a02fe67b5aa9fa8748fbb8211c27b22ac643b748efd6d72963fa87f2d0

SHA512
895b371b35caf872007e5a88d2b87251d29df966841e0ff2f809967f4293508f407d4c046d2e5dec686098333625113f8c143b075810e7db537e2e0308f7ad87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-712.exe

Filesize
192KB

MD5
bc6146fdcaf24b17934be01513ab2cf1

SHA1
f390a722c4ac83da3ed48a855ecf010376386122

SHA256
4b15ce7935d1c934ba4f289292ca34061aba448a5f2f76086a3da7663fc098fd

SHA512
e99ba5932b6df868dd3f3c8a69875a983819972798ccd7f56ecb6e1b256f3328d5c955c8d3594054a39e8f0e505f310e9b76a094dd31351abae84677e2395b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-9653.exe

Filesize
192KB

MD5
06e038d9b0296ac687e853c886ac4a00

SHA1
792e4e0ae51142751011498c69bcada9f94256d7

SHA256
50d56af412e118048d31ed8884f80104e28ae11f83b1898a59199f5976f6cb7c

SHA512
a9d8b97d78c968027f782a4626473dd00efb873d56e43c1267cddcf251724ba6987dfa28c2313c83b67b9ab963564359b9da611c104c630e2f4555d15b02ae82

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-12409.exe

Filesize
192KB

MD5
3178037da729dd741b21d7d65e60dda5

SHA1
c5e62d0286be5c97cee1019d7da6316ba52552b7

SHA256
8ee9f7b08c880ea8edb82f9097b5bf664e730b6d5d1e0b03e297338490d393d6

SHA512
8e154e1f06e7606358cea7b16e922e46fdc593d79f61c843739120b4d65411a6dbe93b2a1903c86524e686cb304b702cd5dd0fdd1884c458e4adfaea2859005d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-20448.exe

Filesize
192KB

MD5
aaa73ce3c99a255da16ca6f1d0748794

SHA1
28f845b9ea79a8bff76f4e81fe053c34d0a2f6be

SHA256
6c8d4da2c5b33bddd94448ba339959668ae7d73ab877c7f15a9169d06004ea16

SHA512
f77e6621af2b2a0463e4b3ecb4dcfb725be38d8319fa335823cba8637056fa19ecdb84a7accdc79dc6ff92955732c40320cc7848c40aec70a75b52521120a636

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53997.exe

Filesize
192KB

MD5
d125cfeabe912af081b125f956995172

SHA1
8aa744c1540fa159a4b33c5408dc6e2173122d3f

SHA256
977e679ec86156341e860712933aabc06e3c6f2f4fd6d6fd57dd6c9bbb6c742f

SHA512
0e750aceaa25ecbbbbc62c89bc583a6b9373b2ea112d8d4a85e2a044ae44d6d6e91bece5db19fd59fe3c2a95b5204ddbaee36c9a99e2312d7ba41e2e16ae347f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-62035.exe

Filesize
192KB

MD5
4b92b0c9a370aa8611c079e47967a642

SHA1
ff3ea9f8c819ed338c124e47e1ab244c8fd3ff4e

SHA256
51f8edb66d69ace742263e13e35c1245bd48724895435dece372c015c4f11528

SHA512
ac7ab4bb5471aef7b3bf59c28654bf8d3cdb1e8900a4feff803af98937d493aa77b320e9ab033fbe69e4404c65f67a46e0c743c6c104917a117d3acf69a6ac40

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-7422.exe

Filesize
192KB

MD5
2333d81f93361cd912e48951da109cee

SHA1
7ea4492b14b077043a4469d5e07267314203f25e

SHA256
b065eada789a8508852841242d8545fb9cdb364e0eebf662c918e314555b5e32

SHA512
20386c6c35642d13bf95fcb2309dbddff326a3871860d416dc5e865050952d2597f9c23456d202a601ddfe577fcea2e910f37cc57380e0e8c1aadbb9191c4f51

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-9941.exe

Filesize
192KB

MD5
627f5121a8cd05b1ddb6de94e9b94a68

SHA1
615396e892c7a240d8d859973e2f0d643da6bacc

SHA256
897a979ca269801a7a76c7c468ce066ccb251977d26e6926ba94c66b1a779548

SHA512
66d3474e1a8a2019db7aa3da7d7bd57e6f391b4dfb4c9b76cc2d2da4b3dd51fdaf1f6eea7cec8e9fb44ff77e13d4946436c98ee7054943075fa8290a0598b3f6

Download Submit