2c6dc0d8fe164a6e8a2f66407218d87ff4170b983beabb66573d96b58556081a

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 04:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cffe808d5b2d64637fc2a6aaba6f5780N.exe
Size

468KB
MD5

cffe808d5b2d64637fc2a6aaba6f5780
SHA1

97a418ad1945b4a8a55a69ba8fda245df12c7c33
SHA256

2c6dc0d8fe164a6e8a2f66407218d87ff4170b983beabb66573d96b58556081a
SHA512

1d7c31b461397a2630c048a42f934ed145de7126178957e7344143f07bc5ac2037de61f7b6db8540ec965a1a4fa469519754f72c31d5a723e785bfbcb2e78473
SSDEEP

3072:W1NhoggAay8UWb/sPz5FDf1cfhjWY8JnmHevVpPY2nv9VNNCMli:W1foXLUWYP1FDf/hPnY2vjNNC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2704	Unicorn-5064.exe
2880	Unicorn-25812.exe
2320	Unicorn-55147.exe
2632	Unicorn-56995.exe
544	Unicorn-36745.exe
2680	Unicorn-26954.exe
2976	Unicorn-2296.exe
2800	Unicorn-48160.exe
2992	Unicorn-34969.exe
2060	Unicorn-51798.exe
2044	Unicorn-63728.exe
2772	Unicorn-49650.exe
2476	Unicorn-29400.exe
2104	Unicorn-41399.exe
2012	Unicorn-60231.exe
664	Unicorn-23453.exe
1348	Unicorn-24522.exe
1336	Unicorn-10646.exe
852	Unicorn-43319.exe
3056	Unicorn-51648.exe
2344	Unicorn-5462.exe
2432	Unicorn-41856.exe
1900	Unicorn-54279.exe
2868	Unicorn-58000.exe
2120	Unicorn-7382.exe
1968	Unicorn-43776.exe
2752	Unicorn-11596.exe
2324	Unicorn-24019.exe
532	Unicorn-43885.exe
868	Unicorn-57076.exe
2988	Unicorn-17129.exe
2944	Unicorn-48960.exe
1280	Unicorn-19433.exe
1292	Unicorn-34809.exe
2240	Unicorn-55094.exe
1620	Unicorn-18508.exe
844	Unicorn-17932.exe
2000	Unicorn-21270.exe
1284	Unicorn-20139.exe
1852	Unicorn-273.exe
1672	Unicorn-19755.exe
2404	Unicorn-19755.exe
2392	Unicorn-16609.exe
2360	Unicorn-19371.exe
288	Unicorn-2193.exe
2728	Unicorn-5722.exe
2408	Unicorn-5722.exe
2876	Unicorn-2001.exe
2584	Unicorn-50450.exe
708	Unicorn-29131.exe
1796	Unicorn-49490.exe
2168	Unicorn-51986.exe
2272	Unicorn-64601.exe
1600	Unicorn-60263.exe
1504	Unicorn-23869.exe
892	Unicorn-13558.exe
1492	Unicorn-63060.exe
1960	Unicorn-61643.exe
2864	Unicorn-31924.exe
2784	Unicorn-11674.exe
2884	Unicorn-65473.exe
1948	Unicorn-31348.exe
2972	Unicorn-39249.exe
1736	Unicorn-2663.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe
2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe
2704	Unicorn-5064.exe
2704	Unicorn-5064.exe
2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe
2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe
2880	Unicorn-25812.exe
2880	Unicorn-25812.exe
2704	Unicorn-5064.exe
2704	Unicorn-5064.exe
2320	Unicorn-55147.exe
2320	Unicorn-55147.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
2632	Unicorn-56995.exe
2632	Unicorn-56995.exe
2880	Unicorn-25812.exe
2880	Unicorn-25812.exe
544	Unicorn-36745.exe
544	Unicorn-36745.exe
2320	Unicorn-55147.exe
2680	Unicorn-26954.exe
2320	Unicorn-55147.exe
2680	Unicorn-26954.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
2976	Unicorn-2296.exe
2976	Unicorn-2296.exe
1752	WerFault.exe
2632	Unicorn-56995.exe
2632	Unicorn-56995.exe
2800	Unicorn-48160.exe
2800	Unicorn-48160.exe
2992	Unicorn-34969.exe
2992	Unicorn-34969.exe
544	Unicorn-36745.exe
2680	Unicorn-26954.exe
2060	Unicorn-51798.exe
2680	Unicorn-26954.exe
544	Unicorn-36745.exe
2060	Unicorn-51798.exe
2044	Unicorn-63728.exe
2044	Unicorn-63728.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2212	WerFault.exe
2772	Unicorn-49650.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2612	2840	WerFault.exe	29
1788	2704	WerFault.exe	30
1432	2880	WerFault.exe	31
1752	2320	WerFault.exe	32
1776	2632	WerFault.exe	34
2212	544	WerFault.exe	35
1800	2680	WerFault.exe	36
1120	2976	WerFault.exe	38
2916	2800	WerFault.exe	39
2792	2992	WerFault.exe	40
2984	2060	WerFault.exe	42
2116	2044	WerFault.exe	41
2760	2772	WerFault.exe	45
1244	2104	WerFault.exe	47
2964	2012	WerFault.exe	48
2776	2476	WerFault.exe	46
1780	1348	WerFault.exe	50
2460	852	WerFault.exe	51
756	1336	WerFault.exe	52
2248	664	WerFault.exe	49
2788	3056	WerFault.exe	55
2196	1900	WerFault.exe	59
2300	2432	WerFault.exe	58
3016	2868	WerFault.exe	60
1992	2324	WerFault.exe	64
872	532	WerFault.exe	65
2596	2240	WerFault.exe	76
1080	1280	WerFault.exe	73
2160	1620	WerFault.exe	77
1668	2392	WerFault.exe	84
1548	1968	WerFault.exe	62
820	1852	WerFault.exe	81
3352	2404	WerFault.exe	82
3404	2344	WerFault.exe	57
3440	2876	WerFault.exe	89
3456	1284	WerFault.exe	80
3488	2784	WerFault.exe	110
3504	2120	WerFault.exe	61
3572	2944	WerFault.exe	70
3580	868	WerFault.exe	66
3624	2728	WerFault.exe	87
3652	288	WerFault.exe	86
3688	2752	WerFault.exe	63
3704	2584	WerFault.exe	91
3736	2988	WerFault.exe	69
3808	1796	WerFault.exe	95
3904	2168	WerFault.exe	98
3964	1292	WerFault.exe	75
3996	1672	WerFault.exe	83
3084	708	WerFault.exe	94
3252	2020	WerFault.exe	117
3368	2972	WerFault.exe	113
3540	1948	WerFault.exe	112
3556	2360	WerFault.exe	85
880	844	WerFault.exe	78
3780	2884	WerFault.exe	111
3816	1600	WerFault.exe	104
3940	628	WerFault.exe	137
3948	892	WerFault.exe	106
3976	1804	WerFault.exe	115
4028	2000	WerFault.exe	79
4068	2408	WerFault.exe	88
3076	2140	WerFault.exe	124
3144	2268	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5064.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7382.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48922.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44625.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55147.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61643.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27103.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45667.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33535.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40626.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6493.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29618.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37283.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59996.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26332.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51798.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41856.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5176.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15195.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31348.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51450.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cffe808d5b2d64637fc2a6aaba6f5780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56962.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe
2704	Unicorn-5064.exe
2880	Unicorn-25812.exe
2320	Unicorn-55147.exe
2632	Unicorn-56995.exe
544	Unicorn-36745.exe
2680	Unicorn-26954.exe
2976	Unicorn-2296.exe
2800	Unicorn-48160.exe
2992	Unicorn-34969.exe
2060	Unicorn-51798.exe
2044	Unicorn-63728.exe
2772	Unicorn-49650.exe
2104	Unicorn-41399.exe
2476	Unicorn-29400.exe
2012	Unicorn-60231.exe
1348	Unicorn-24522.exe
852	Unicorn-43319.exe
664	Unicorn-23453.exe
1336	Unicorn-10646.exe
3056	Unicorn-51648.exe
2344	Unicorn-5462.exe
2432	Unicorn-41856.exe
1900	Unicorn-54279.exe
2868	Unicorn-58000.exe
2120	Unicorn-7382.exe
2752	Unicorn-11596.exe
1968	Unicorn-43776.exe
532	Unicorn-43885.exe
2324	Unicorn-24019.exe
868	Unicorn-57076.exe
2988	Unicorn-17129.exe
2944	Unicorn-48960.exe
1280	Unicorn-19433.exe
1292	Unicorn-34809.exe
2240	Unicorn-55094.exe
1620	Unicorn-18508.exe
844	Unicorn-17932.exe
2000	Unicorn-21270.exe
1284	Unicorn-20139.exe
1852	Unicorn-273.exe
1672	Unicorn-19755.exe
2404	Unicorn-19755.exe
2392	Unicorn-16609.exe
2360	Unicorn-19371.exe
2728	Unicorn-5722.exe
288	Unicorn-2193.exe
2408	Unicorn-5722.exe
2876	Unicorn-2001.exe
2584	Unicorn-50450.exe
708	Unicorn-29131.exe
1796	Unicorn-49490.exe
2168	Unicorn-51986.exe
2272	Unicorn-64601.exe
1600	Unicorn-60263.exe
1504	Unicorn-23869.exe
892	Unicorn-13558.exe
1492	Unicorn-63060.exe
1960	Unicorn-61643.exe
2864	Unicorn-31924.exe
2784	Unicorn-11674.exe
2884	Unicorn-65473.exe
1948	Unicorn-31348.exe
1804	Unicorn-6493.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2704	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	30
PID 2840 wrote to memory of 2704	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	30
PID 2840 wrote to memory of 2704	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	30
PID 2840 wrote to memory of 2704	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	30
PID 2704 wrote to memory of 2880	2704	Unicorn-5064.exe	31
PID 2704 wrote to memory of 2880	2704	Unicorn-5064.exe	31
PID 2704 wrote to memory of 2880	2704	Unicorn-5064.exe	31
PID 2704 wrote to memory of 2880	2704	Unicorn-5064.exe	31
PID 2840 wrote to memory of 2320	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	32
PID 2840 wrote to memory of 2320	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	32
PID 2840 wrote to memory of 2320	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	32
PID 2840 wrote to memory of 2320	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	32
PID 2840 wrote to memory of 2612	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	33
PID 2840 wrote to memory of 2612	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	33
PID 2840 wrote to memory of 2612	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	33
PID 2840 wrote to memory of 2612	2840	cffe808d5b2d64637fc2a6aaba6f5780N.exe	33
PID 2880 wrote to memory of 2632	2880	Unicorn-25812.exe	34
PID 2880 wrote to memory of 2632	2880	Unicorn-25812.exe	34
PID 2880 wrote to memory of 2632	2880	Unicorn-25812.exe	34
PID 2880 wrote to memory of 2632	2880	Unicorn-25812.exe	34
PID 2704 wrote to memory of 544	2704	Unicorn-5064.exe	35
PID 2704 wrote to memory of 544	2704	Unicorn-5064.exe	35
PID 2704 wrote to memory of 544	2704	Unicorn-5064.exe	35
PID 2704 wrote to memory of 544	2704	Unicorn-5064.exe	35
PID 2320 wrote to memory of 2680	2320	Unicorn-55147.exe	36
PID 2320 wrote to memory of 2680	2320	Unicorn-55147.exe	36
PID 2320 wrote to memory of 2680	2320	Unicorn-55147.exe	36
PID 2320 wrote to memory of 2680	2320	Unicorn-55147.exe	36
PID 2704 wrote to memory of 1788	2704	Unicorn-5064.exe	37
PID 2704 wrote to memory of 1788	2704	Unicorn-5064.exe	37
PID 2704 wrote to memory of 1788	2704	Unicorn-5064.exe	37
PID 2704 wrote to memory of 1788	2704	Unicorn-5064.exe	37
PID 2632 wrote to memory of 2976	2632	Unicorn-56995.exe	38
PID 2632 wrote to memory of 2976	2632	Unicorn-56995.exe	38
PID 2632 wrote to memory of 2976	2632	Unicorn-56995.exe	38
PID 2632 wrote to memory of 2976	2632	Unicorn-56995.exe	38
PID 2880 wrote to memory of 2800	2880	Unicorn-25812.exe	39
PID 2880 wrote to memory of 2800	2880	Unicorn-25812.exe	39
PID 2880 wrote to memory of 2800	2880	Unicorn-25812.exe	39
PID 2880 wrote to memory of 2800	2880	Unicorn-25812.exe	39
PID 544 wrote to memory of 2992	544	Unicorn-36745.exe	40
PID 544 wrote to memory of 2992	544	Unicorn-36745.exe	40
PID 544 wrote to memory of 2992	544	Unicorn-36745.exe	40
PID 544 wrote to memory of 2992	544	Unicorn-36745.exe	40
PID 2320 wrote to memory of 2044	2320	Unicorn-55147.exe	41
PID 2320 wrote to memory of 2044	2320	Unicorn-55147.exe	41
PID 2320 wrote to memory of 2044	2320	Unicorn-55147.exe	41
PID 2320 wrote to memory of 2044	2320	Unicorn-55147.exe	41
PID 2680 wrote to memory of 2060	2680	Unicorn-26954.exe	42
PID 2680 wrote to memory of 2060	2680	Unicorn-26954.exe	42
PID 2680 wrote to memory of 2060	2680	Unicorn-26954.exe	42
PID 2680 wrote to memory of 2060	2680	Unicorn-26954.exe	42
PID 2880 wrote to memory of 1432	2880	Unicorn-25812.exe	43
PID 2880 wrote to memory of 1432	2880	Unicorn-25812.exe	43
PID 2880 wrote to memory of 1432	2880	Unicorn-25812.exe	43
PID 2880 wrote to memory of 1432	2880	Unicorn-25812.exe	43
PID 2320 wrote to memory of 1752	2320	Unicorn-55147.exe	44
PID 2320 wrote to memory of 1752	2320	Unicorn-55147.exe	44
PID 2320 wrote to memory of 1752	2320	Unicorn-55147.exe	44
PID 2320 wrote to memory of 1752	2320	Unicorn-55147.exe	44
PID 2976 wrote to memory of 2772	2976	Unicorn-2296.exe	45
PID 2976 wrote to memory of 2772	2976	Unicorn-2296.exe	45
PID 2976 wrote to memory of 2772	2976	Unicorn-2296.exe	45
PID 2976 wrote to memory of 2772	2976	Unicorn-2296.exe	45

C:\Users\Admin\AppData\Local\Temp\cffe808d5b2d64637fc2a6aaba6f5780N.exe
"C:\Users\Admin\AppData\Local\Temp\cffe808d5b2d64637fc2a6aaba6f5780N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\Unicorn-5064.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-5064.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25812.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25812.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56995.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56995.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2296.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2296.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49650.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51648.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51648.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17129.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17129.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50450.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50450.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21024.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21024.exe
        10⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10718.exe
        11⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60652.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60652.exe
        12⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 236
        12⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 236
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 236
        10⤵
        Program crash
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7510.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7510.exe
        9⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13022.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13022.exe
        10⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9500.exe
        11⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 216
        11⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 236
        10⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 240
        9⤵
        Program crash
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29131.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29131.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18170.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18170.exe
        9⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2218.exe
        10⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12548.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12548.exe
        11⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 236
        10⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 236
        9⤵
        Program crash
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 240
        8⤵
        Program crash
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48960.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48960.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49490.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49490.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63037.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63037.exe
        9⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61455.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61455.exe
        10⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14459.exe
        11⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 216
        11⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 216
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 236
        9⤵
        Program crash
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10800.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10800.exe
        8⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63261.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63261.exe
        9⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62276.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62276.exe
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 236
        10⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 236
        9⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 240
        8⤵
        Program crash
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 220
        7⤵
        Program crash
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5462.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19433.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19433.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63060.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63060.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43048.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56962.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56962.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 236
        11⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 216
        10⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 216
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 236
        8⤵
        Program crash
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61643.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10365.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11004.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11004.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 236
        9⤵
        
        PID:912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 236
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 240
        7⤵
        Program crash
        
        PID:3404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 240
        6⤵
        Program crash
        
        PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29400.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29400.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43776.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43776.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19371.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19371.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39249.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39249.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19260.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19260.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45667.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45667.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 236
        10⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 236
        9⤵
        Program crash
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15195.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15195.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 216
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 240
        8⤵
        Program crash
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2663.exe
        7⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61605.exe
        8⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9915.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 216
        10⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 216
        9⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 236
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 240
        7⤵
        Program crash
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2193.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2193.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41662.exe
        7⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-521.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-521.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37798.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37798.exe
        9⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 236
        9⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 236
        8⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 216
        7⤵
        Program crash
        
        PID:3652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 240
        6⤵
        Program crash
        
        PID:2776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48160.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48160.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41399.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41399.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41856.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41856.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55094.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60263.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60263.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8625.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8625.exe
        11⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 216
        10⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 216
        9⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 236
        8⤵
        Program crash
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23869.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23869.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63530.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63530.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26328.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23138.exe
        11⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 236
        11⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 216
        10⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 236
        9⤵
        Program crash
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56540.exe
        8⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12238.exe
        10⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 216
        9⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 240
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 240
        7⤵
        Program crash
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17932.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17932.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13558.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13558.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        8⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40626.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 236
        10⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 216
        9⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 236
        8⤵
        Program crash
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        7⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 208
        9⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 216
        8⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 240
        7⤵
        Program crash
        
        PID:880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 240
        6⤵
        Program crash
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54279.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54279.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34809.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34809.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51986.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51986.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30666.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30666.exe
        8⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3339.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3339.exe
        9⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12238.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 216
        9⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 216
        8⤵
        Program crash
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44625.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44625.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53225.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53225.exe
        8⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28006.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28006.exe
        9⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 236
        9⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 236
        8⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 240
        7⤵
        Program crash
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64601.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64601.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59996.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59996.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25944.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25944.exe
        8⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15579.exe
        10⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 216
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 236
        8⤵
        Program crash
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58460.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58460.exe
        7⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42362.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42362.exe
        9⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 216
        8⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 240
        7⤵
        
        PID:4288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 240
        6⤵
        Program crash
        
        PID:2196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 240
        5⤵
        Program crash
        
        PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1432
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-36745.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-36745.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34969.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34969.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60231.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60231.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58000.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58000.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21270.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6493.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6493.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        9⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33535.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33535.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 216
        10⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 236
        9⤵
        Program crash
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26332.exe
        8⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27103.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27103.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 216
        10⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 216
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 240
        8⤵
        Program crash
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 236
        7⤵
        Program crash
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-273.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-273.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52051.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12788.exe
        8⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58784.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58784.exe
        10⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 236
        10⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 216
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 236
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 236
        7⤵
        Program crash
        
        PID:820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 240
        6⤵
        Program crash
        
        PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7382.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5722.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57230.exe
        7⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65181.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65181.exe
        8⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13651.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13651.exe
        9⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 236
        9⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 236
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 236
        7⤵
        Program crash
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48906.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48906.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23360.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23360.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24814.exe
        8⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 236
        8⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 216
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 240
        6⤵
        Program crash
        
        PID:3504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 240
        5⤵
        Program crash
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23453.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23453.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43885.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19755.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19755.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31924.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31924.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31668.exe
        8⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31183.exe
        9⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 216
        9⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 236
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 236
        7⤵
        Program crash
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11674.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48922.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29618.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29618.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40784.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40784.exe
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 236
        9⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 236
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 236
        7⤵
        Program crash
        
        PID:3488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 240
        6⤵
        Program crash
        
        PID:872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16609.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16609.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31348.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31348.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19260.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19260.exe
        7⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        8⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10104.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10104.exe
        9⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 216
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 216
        7⤵
        Program crash
        
        PID:3540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 236
        6⤵
        Program crash
        
        PID:1668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 240
        5⤵
        Program crash
        
        PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\Unicorn-55147.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-55147.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-26954.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-26954.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51798.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51798.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43319.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43319.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11596.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5722.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10525.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10525.exe
        8⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11444.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11444.exe
        9⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29727.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29727.exe
        11⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 216
        11⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 216
        10⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 236
        9⤵
        Program crash
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57116.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57116.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 216
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 240
        8⤵
        Program crash
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31801.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31801.exe
        7⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51450.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51450.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27238.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 236
        9⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 216
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 220
        7⤵
        Program crash
        
        PID:3688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2001.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2001.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57230.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37859.exe
        8⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37096.exe
        9⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 216
        9⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 236
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 216
        7⤵
        Program crash
        
        PID:3440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 240
        6⤵
        Program crash
        
        PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24019.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20139.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20139.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5424.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5424.exe
        7⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37283.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31088.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31088.exe
        9⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 236
        9⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 236
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 216
        7⤵
        Program crash
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54469.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54469.exe
        6⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16956.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16956.exe
        7⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38563.exe
        8⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55978.exe
        9⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 216
        8⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 236
        7⤵
        Program crash
        
        PID:3252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 240
        6⤵
        Program crash
        
        PID:1992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 240
        5⤵
        Program crash
        
        PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24522.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24522.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18508.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18508.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65473.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46198.exe
        7⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21843.exe
        8⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41682.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41682.exe
        9⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 216
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 216
        7⤵
        Program crash
        
        PID:3780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 236
        6⤵
        Program crash
        
        PID:2160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 236
        5⤵
        Program crash
        
        PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 240
      4⤵
      Program crash
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-63728.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-63728.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10646.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10646.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 220
        5⤵
        Program crash
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57076.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57076.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:868
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19755.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19755.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56742.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56742.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5176.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5176.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63124.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63124.exe
        8⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 236
        7⤵
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 236
        6⤵
        Program crash
        
        PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4500.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62192.exe
        6⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24705.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24705.exe
        7⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 236
        7⤵
        
        PID:6180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 216
        6⤵
        
        PID:4672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 220
        5⤵
        Program crash
        
        PID:3580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 240
      4⤵
      Program crash
      PID:2116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 240
  2⤵
  - Program crash
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-2296.exe

Filesize
468KB

MD5
ac061d4fae6fa433fd3e02ac6f6070bc

SHA1
698d8c18ca14a39f11ad067af18d2aa843065469

SHA256
a3c2a190d66f4369d84ea87922de08a2d1972bf874661391eab7070757125efa

SHA512
6632287ca7e5c1789e987fc6c6281526faa215e9d6132f8c84a9c44ed59aad30e6ed82d38b15e1745a2ab368ffc8e4b2513a247d1248db5bc87121805223f94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-51798.exe

Filesize
468KB

MD5
c6a9597c367e79550f7a6dbb55937f6c

SHA1
999e34e507b491354ae7f52fdc06c76ab1553b49

SHA256
2da3a7106f7ab571980f52f9e2ff4d5a2fd754dcde6c1368d14c993a5f8190cf

SHA512
59703b8c66f6d14c4c98eb1700359f7675d582ff609c287f1269dfaee6280dad40adff39e3bf614f2c0e54414b27b5e520a9c03edaeec4a404ec7b2ac9b0e44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-57076.exe

Filesize
468KB

MD5
e1b740e306a9ea4001e0edf8f928f40f

SHA1
82271bec3da47e236b765657f8cdf4765fe90857

SHA256
5413d68e567a23e05d16cef9afb7866a75bd09c494308ee9d586e4587976c656

SHA512
9cfd7b822ba51c217aaca27ac10c8066d2d45d475112c7f11b3dc7e37058433f278696fa376ed61d14101dec965bde92c74079c5401517cef8e75e5377086e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-57230.exe

Filesize
468KB

MD5
3afa9b953abd22038a497125edf1e946

SHA1
582d80a566d44b9f1e766f5d6875fd703496f8e8

SHA256
7f1e53e16ddbb5b122e067643e1c0b0b0488dd1589d6f63aafde9eaf0d1aadf8

SHA512
dd7c9d05bad4d2661544cdebbea3df638d17c9a52f41730beec01fab0dce76f7712a12a5e2734bf15f4d6b7bb60cd74c49bcf4287df1c17238df049e55e77687

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-25812.exe

Filesize
468KB

MD5
3602eebe2e12be6e9cef973eceda1d5f

SHA1
a0e7a002110c13c4c731602985f973c2d42ae71f

SHA256
5b230a54e53175816a4b0da28a4dd1f02907f874a72bc2ea9e1eb2c599ec14b1

SHA512
ff1bd3791c1794111608ea261d69a8e1753b2dab1f1e29202913d5426b942231f30f996a24acc25fed6e265a7fc3e9add29c609b83f3bff6d94ff27259dc6180

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-26954.exe

Filesize
468KB

MD5
24c211f0d28580600b977ae79fe69333

SHA1
cdcea230f5efa8234874d5ea650fb2a4ae0a5142

SHA256
a8dca9372253e0dc206ed6b9603614f8d6d733ddd7481604b46f7a826b2c9c86

SHA512
b9010b3c96036a4c3aee714eeda0d5e9a49dccb8cb8046e398ca4af95cd5c1ceabe034f82e4884d5923cfae666cf4b83d2af96ff771db0ed707f9d4aa96d273a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29400.exe

Filesize
468KB

MD5
44267b04aad7ddbe705d498f45e4a8a6

SHA1
6ea42412719d428ee6392d73df7e9abaad58f7f6

SHA256
cbca0b0e4329c654a7fbba6db451042dcc23ecb8d4a09275154ff4bca6c00e95

SHA512
0f5406cc189170582d5bad9c10bd0b1a80a65866847a99ba13618591f09dcf75d79b2f16e3e9ac3a1d3a011526f1e91beb686bc04eb4d07c063e783dc1e847fe

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-34969.exe

Filesize
468KB

MD5
cfeeada73bd99e4fb32b15c2e9d2b546

SHA1
6499c4dac88a3fe9b202e2ae43ff90e210cc7c07

SHA256
c883d2baef4f1278540bb351355b15045e4eede792e912fce5744296a6d962f7

SHA512
ebf5b77787eed77f73d77a197c736bc278c6fb67d298c3aea7e984f75ac3e3562f1ab2c6121bc08b1ab69a61007acf0c97ca1c8f41b3cdd0071bca25ce3e6937

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-36745.exe

Filesize
468KB

MD5
7d4bf0d6e10d5febde14696c6cc2385e

SHA1
f4a5e11e5be0ab9fbac60610eb59fcbcc961ee10

SHA256
0de237a23bf6530fd0d82d298ee6f299f18c4960d2aca00c4691f379541bca33

SHA512
7c8071d88a64c2ad5fa4fc41d798139187281904d71145b76fb4a3dd0781cf127a0d7761631f264f1767596bd57ac6dc9d527e24a0f44c295788637b968d2fb5

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-41399.exe

Filesize
468KB

MD5
84cfda4e481b805768cc39a5e0c4318d

SHA1
e5772ec9ea7d09f278fa19aacad8b56b38508ed9

SHA256
6ad1cd6518c05e013e2d3322b694ffc4fe1bc755956bdb212d92858780906047

SHA512
9cab41c91dba7b05d4b01e1cddfa726f2e542178ecba793c72099dd47a8c738b683e39523a09832b1f9c7d690ceb2bab420e1b143bb3f45d447d04b8c634a1af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-48160.exe

Filesize
468KB

MD5
44f22a63324c4ea1e2641c8e53d03315

SHA1
fded889dd684b25f3c67b721d60dc728accbd81d

SHA256
6ad9fe6dafd4fc93718de1b484d68a95eede9b5d84ad9bfa36d0757f0605c974

SHA512
61587942d83ed5cbbe23a2f19f7b31b1e8eb7c27901534a5e42e7d11cb047f1f1c26007d8fe514361ef16b0d2e627d81e0e250234ac6bb5ed9819b2e0a38e89f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-49650.exe

Filesize
468KB

MD5
001d1b49b55dfc99016904372aa42ac8

SHA1
f30929507bef981a1354e39997a6f44720968c8b

SHA256
d74eaf8cc4c1872e07718b91694e920dceb9494094da0266e7189abd36877cd6

SHA512
2e226f3c9d6a684a0116cb22b28f2413973b97c6cde087a960a357b20fb020bee84495f5f31080a725cdd67bc93239efce31b444160abe57286ca07dc0970798

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5064.exe

Filesize
468KB

MD5
104c96fc97a365660bfc5a5001283b97

SHA1
240e692a5bb383fd7ba014588e5f635a4c315362

SHA256
3a3572360a39143fe264aa6d129166d05dd8206fb35a52eafd27a9f13ff6c603

SHA512
776c4c2d0490eb177c8e0a57925c57410be81b788fdcbe377c0ccde1023ded11a5c5804f95584ccebad8d14252a900ac15a1d1417fc5f86f3895a036b817ecd3

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-55147.exe

Filesize
468KB

MD5
1d2184967a3afb80b79a0267ab1fa1ff

SHA1
f06dd6c4647fbebb348a4f75edd87df32cc226c7

SHA256
b7b4155cfefc212ecd18b209591d9e9593c3bcb8478adca87614fc6f1fd26d02

SHA512
8a428e48a74250331419eaf231c37a38c9abc965c41424ac16ae94dedb54ba76ae51904faa7ec42f96c45f2c5610cdf2a1db14700be0aa5c8400bf1187a68036

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-56995.exe

Filesize
468KB

MD5
48b46f3e9420ccb33566f4548915d744

SHA1
df6e0cefb4d5eb04e673936622a61c4b58b6162b

SHA256
3cb6895814b5aaaf254f489ad0f2b02905354352b298b4f0474e0206cb4cb145

SHA512
8932b0d5961c28517d07b29e5ee15fdaf358d1af84f1915e924ce2894363c7e507da21fc491f3844907193e7224f8ac1f82a7c500cc3825027748036cf6753be

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-63728.exe

Filesize
468KB

MD5
edc2adae67e15387a7ad4f3e1532694c

SHA1
656ad187fc61d133f98cb440bb0651315ff696c9

SHA256
329ab869d17c15221312dfc095095c41b9bdd24998c95486a767ae396961f618

SHA512
448e309d1c449d3821c85af2ec5409f1c7d3c8a4b9ce8b1b695b8f3c45c2d913f1e4603c9dd3bfed5329ecc83484c0cdf15406df9ac3c199ccbdbc3ac32a5999

Download Submit
memory/532-326-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/544-60-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/544-214-0x00000000025F0000-0x0000000002665000-memory.dmp

Filesize
468KB

Download
memory/664-317-0x0000000002760000-0x00000000027D5000-memory.dmp

Filesize
468KB

Download
memory/664-325-0x0000000002760000-0x00000000027D5000-memory.dmp

Filesize
468KB

Download
memory/664-219-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/844-408-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/852-309-0x0000000002720000-0x0000000002795000-memory.dmp

Filesize
468KB

Download
memory/852-308-0x0000000002720000-0x0000000002795000-memory.dmp

Filesize
468KB

Download
memory/852-225-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/868-336-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/868-444-0x0000000002620000-0x0000000002695000-memory.dmp

Filesize
468KB

Download
memory/1280-370-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1284-435-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1292-379-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1336-224-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1348-223-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1348-396-0x0000000002580000-0x00000000025F5000-memory.dmp

Filesize
468KB

Download
memory/1620-398-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1852-436-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1900-378-0x0000000003410000-0x0000000003485000-memory.dmp

Filesize
468KB

Download
memory/1900-270-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1968-299-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2000-421-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2012-439-0x00000000028B0000-0x0000000002925000-memory.dmp

Filesize
468KB

Download
memory/2012-438-0x00000000028B0000-0x0000000002925000-memory.dmp

Filesize
468KB

Download
memory/2012-278-0x00000000028B0000-0x0000000002925000-memory.dmp

Filesize
468KB

Download
memory/2012-279-0x00000000028B0000-0x0000000002925000-memory.dmp

Filesize
468KB

Download
memory/2012-193-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2044-129-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2044-334-0x00000000006C0000-0x0000000000735000-memory.dmp

Filesize
468KB

Download
memory/2044-335-0x00000000006C0000-0x0000000000735000-memory.dmp

Filesize
468KB

Download
memory/2044-222-0x00000000006C0000-0x0000000000735000-memory.dmp

Filesize
468KB

Download
memory/2044-221-0x00000000006C0000-0x0000000000735000-memory.dmp

Filesize
468KB

Download
memory/2060-321-0x00000000025A0000-0x0000000002615000-memory.dmp

Filesize
468KB

Download
memory/2060-218-0x00000000025A0000-0x0000000002615000-memory.dmp

Filesize
468KB

Download
memory/2060-316-0x00000000025A0000-0x0000000002615000-memory.dmp

Filesize
468KB

Download
memory/2060-127-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2104-260-0x0000000001F20000-0x0000000001F95000-memory.dmp

Filesize
468KB

Download
memory/2104-407-0x0000000001F20000-0x0000000001F95000-memory.dmp

Filesize
468KB

Download
memory/2104-406-0x0000000001F20000-0x0000000001F95000-memory.dmp

Filesize
468KB

Download
memory/2104-256-0x0000000001F20000-0x0000000001F95000-memory.dmp

Filesize
468KB

Download
memory/2104-181-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2120-290-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2240-388-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2320-397-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2324-437-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2324-434-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2344-251-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2344-369-0x0000000001D40000-0x0000000001DB5000-memory.dmp

Filesize
468KB

Download
memory/2476-178-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2476-298-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2476-297-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2632-170-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2632-429-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2632-173-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2680-212-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2680-220-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2680-70-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2704-17-0x00000000025C0000-0x0000000002635000-memory.dmp

Filesize
468KB

Download
memory/2704-368-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2752-310-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2772-157-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2772-240-0x0000000000380000-0x00000000003F5000-memory.dmp

Filesize
468KB

Download
memory/2772-239-0x0000000000380000-0x00000000003F5000-memory.dmp

Filesize
468KB

Download
memory/2800-96-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2800-180-0x00000000024B0000-0x0000000002525000-memory.dmp

Filesize
468KB

Download
memory/2800-268-0x00000000024B0000-0x0000000002525000-memory.dmp

Filesize
468KB

Download
memory/2800-269-0x00000000024B0000-0x0000000002525000-memory.dmp

Filesize
468KB

Download
memory/2800-179-0x00000000024B0000-0x0000000002525000-memory.dmp

Filesize
468KB

Download
memory/2840-344-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2840-32-0x0000000001CB0000-0x0000000001D25000-memory.dmp

Filesize
468KB

Download
memory/2840-26-0x0000000001CB0000-0x0000000001D25000-memory.dmp

Filesize
468KB

Download
memory/2840-5-0x0000000001CB0000-0x0000000001D25000-memory.dmp

Filesize
468KB

Download
memory/2840-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2868-420-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2868-419-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2868-280-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-422-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2880-387-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-42-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2944-360-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2976-154-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/2976-155-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/2976-250-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/2976-249-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/2976-95-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2988-352-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2992-110-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2992-191-0x00000000025D0000-0x0000000002645000-memory.dmp

Filesize
468KB

Download
memory/2992-192-0x00000000025D0000-0x0000000002645000-memory.dmp

Filesize
468KB

Download
memory/2992-288-0x00000000025D0000-0x0000000002645000-memory.dmp

Filesize
468KB

Download
memory/2992-289-0x00000000025D0000-0x0000000002645000-memory.dmp

Filesize
468KB

Download
memory/3056-351-0x00000000024D0000-0x0000000002545000-memory.dmp

Filesize
468KB

Download
memory/3056-350-0x00000000024D0000-0x0000000002545000-memory.dmp

Filesize
468KB

Download
memory/3056-241-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download