900f3f4b15b4cb3fb03055063fb82ed779279a211226cc06bc80b2fc64582c03

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
Size

192KB
MD5

61e29b6815f07164b0b9edf3949fa7df
SHA1

ee3bcd6b4f96a2f7bb8c278f979e3083499a3abe
SHA256

d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805
SHA512

6d29a0a7fe1ee366d3c92c7588c20accd8e856cc459de0009b7a5ddc6c6f9beb00484d6f770caac2bee3d4847c07a62580e3c6c2a0f8a8120c854ad9bd5d63e1
SSDEEP

3072:upPEoUPykIwQMOj88iIJbJOIiKZqMkylfjgxJ5EdRNQHtpFO:up8oQ9QMP8LJbJhYKuqNQHtpF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2096	Unicorn-41695.exe
2392	Unicorn-28504.exe
2692	Unicorn-470.exe
2956	Unicorn-45006.exe
2944	Unicorn-12888.exe
2852	Unicorn-28670.exe
2732	Unicorn-36091.exe
3032	Unicorn-57066.exe
1644	Unicorn-64679.exe
1504	Unicorn-28285.exe
1028	Unicorn-35188.exe
1356	Unicorn-3070.exe
2232	Unicorn-56355.exe
1116	Unicorn-6407.exe
2376	Unicorn-34996.exe
496	Unicorn-2878.exe
108	Unicorn-22744.exe
1292	Unicorn-63065.exe
2432	Unicorn-35908.exe
916	Unicorn-15208.exe
2272	Unicorn-16278.exe
2992	Unicorn-3833.exe
3004	Unicorn-29084.exe
2460	Unicorn-48950.exe
2084	Unicorn-12556.exe
1036	Unicorn-32422.exe
2932	Unicorn-53397.exe
2520	Unicorn-63942.exe
2328	Unicorn-16085.exe
2492	Unicorn-35951.exe
2632	Unicorn-11254.exe
2864	Unicorn-60455.exe
2860	Unicorn-28145.exe
3068	Unicorn-44482.exe
1960	Unicorn-31483.exe
804	Unicorn-7533.exe
592	Unicorn-14954.exe
484	Unicorn-14954.exe
864	Unicorn-27761.exe
560	Unicorn-43543.exe
1276	Unicorn-59879.exe
1416	Unicorn-20937.exe
2264	Unicorn-13283.exe
1748	Unicorn-43216.exe
1656	Unicorn-6267.exe
2988	Unicorn-27242.exe
2976	Unicorn-30580.exe
2236	Unicorn-31134.exe
1060	Unicorn-38748.exe
2172	Unicorn-51555.exe
1584	Unicorn-64596.exe
2876	Unicorn-15395.exe
2076	Unicorn-15395.exe
2736	Unicorn-15758.exe
2840	Unicorn-2759.exe
2040	Unicorn-49500.exe
2792	Unicorn-3828.exe
2676	Unicorn-47876.exe
3028	Unicorn-57113.exe
2680	Unicorn-41139.exe
1084	Unicorn-36309.exe
1692	Unicorn-4980.exe
2884	Unicorn-49905.exe
3024	Unicorn-33547.exe

Loads dropped DLL 64 IoCs

pid	Process
2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
2096	Unicorn-41695.exe
2096	Unicorn-41695.exe
2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
2392	Unicorn-28504.exe
2392	Unicorn-28504.exe
2096	Unicorn-41695.exe
2096	Unicorn-41695.exe
2692	Unicorn-470.exe
2692	Unicorn-470.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2956	Unicorn-45006.exe
2956	Unicorn-45006.exe
2392	Unicorn-28504.exe
2392	Unicorn-28504.exe
2944	Unicorn-12888.exe
2944	Unicorn-12888.exe
2692	Unicorn-470.exe
2692	Unicorn-470.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
2732	Unicorn-36091.exe
2732	Unicorn-36091.exe
2956	Unicorn-45006.exe
2956	Unicorn-45006.exe
2852	Unicorn-28670.exe
2852	Unicorn-28670.exe
3032	Unicorn-57066.exe
3032	Unicorn-57066.exe
1644	Unicorn-64679.exe
1644	Unicorn-64679.exe
2944	Unicorn-12888.exe
1504	Unicorn-28285.exe
2944	Unicorn-12888.exe
1504	Unicorn-28285.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe
768	WerFault.exe
1340	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2760	2572	WerFault.exe	29
2652	2096	WerFault.exe	30
1660	2392	WerFault.exe	31
1996	2692	WerFault.exe	32
2900	2956	WerFault.exe	34
1340	2944	WerFault.exe	35
768	2852	WerFault.exe	36
2540	2732	WerFault.exe	38
2080	3032	WerFault.exe	39
2924	1644	WerFault.exe	40
2312	1292	WerFault.exe	55
2880	1504	WerFault.exe	41
2316	1356	WerFault.exe	46
2252	1028	WerFault.exe	45
2228	2232	WerFault.exe	47
408	496	WerFault.exe	50
444	1116	WerFault.exe	48
2972	2376	WerFault.exe	49
1856	108	WerFault.exe	51
2584	2432	WerFault.exe	56
3008	2272	WerFault.exe	58
1032	3004	WerFault.exe	60
2412	2932	WerFault.exe	64
1776	2992	WerFault.exe	59
784	2864	WerFault.exe	74
1280	864	WerFault.exe	81
2708	1036	WerFault.exe	63
2164	484	WerFault.exe	80
2532	2860	WerFault.exe	75
2616	1276	WerFault.exe	83
2608	804	WerFault.exe	78
2620	916	WerFault.exe	57
2888	1416	WerFault.exe	84
1708	2084	WerFault.exe	62
892	592	WerFault.exe	79
3044	1960	WerFault.exe	77
1012	2460	WerFault.exe	61
2424	560	WerFault.exe	82
3244	1060	WerFault.exe	98
3280	2520	WerFault.exe	67
3332	1656	WerFault.exe	94
3356	2236	WerFault.exe	97
3372	2976	WerFault.exe	96
3388	1748	WerFault.exe	93
3432	2988	WerFault.exe	95
3448	2492	WerFault.exe	71
3524	2328	WerFault.exe	72
3648	2040	WerFault.exe	105
3656	3028	WerFault.exe	108
3748	2172	WerFault.exe	99
3856	3068	WerFault.exe	76
3876	2884	WerFault.exe	112
3956	2876	WerFault.exe	101
4008	2264	WerFault.exe	87
4032	2632	WerFault.exe	73
4060	2676	WerFault.exe	107
4084	3024	WerFault.exe	113
3188	1584	WerFault.exe	100
3296	1084	WerFault.exe	110
3500	2680	WerFault.exe	109
3532	1692	WerFault.exe	111
3600	1196	WerFault.exe	135
3712	2336	WerFault.exe	116
3936	1096	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14718.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40582.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23847.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34996.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28684.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11254.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5087.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58751.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24963.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30580.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7163.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47876.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10271.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49291.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16278.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26430.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16085.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15758.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55751.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
2096	Unicorn-41695.exe
2392	Unicorn-28504.exe
2692	Unicorn-470.exe
2956	Unicorn-45006.exe
2944	Unicorn-12888.exe
2852	Unicorn-28670.exe
2732	Unicorn-36091.exe
3032	Unicorn-57066.exe
1644	Unicorn-64679.exe
1504	Unicorn-28285.exe
1028	Unicorn-35188.exe
1356	Unicorn-3070.exe
2232	Unicorn-56355.exe
1116	Unicorn-6407.exe
2376	Unicorn-34996.exe
108	Unicorn-22744.exe
496	Unicorn-2878.exe
1292	Unicorn-63065.exe
2432	Unicorn-35908.exe
916	Unicorn-15208.exe
2272	Unicorn-16278.exe
2992	Unicorn-3833.exe
2460	Unicorn-48950.exe
3004	Unicorn-29084.exe
1036	Unicorn-32422.exe
2084	Unicorn-12556.exe
2932	Unicorn-53397.exe
2520	Unicorn-63942.exe
2328	Unicorn-16085.exe
2492	Unicorn-35951.exe
2632	Unicorn-11254.exe
2864	Unicorn-60455.exe
2860	Unicorn-28145.exe
3068	Unicorn-44482.exe
1960	Unicorn-31483.exe
804	Unicorn-7533.exe
484	Unicorn-14954.exe
592	Unicorn-14954.exe
864	Unicorn-27761.exe
560	Unicorn-43543.exe
1276	Unicorn-59879.exe
1416	Unicorn-20937.exe
2264	Unicorn-13283.exe
1748	Unicorn-43216.exe
1656	Unicorn-6267.exe
2988	Unicorn-27242.exe
2976	Unicorn-30580.exe
2236	Unicorn-31134.exe
1060	Unicorn-38748.exe
1584	Unicorn-64596.exe
2172	Unicorn-51555.exe
2076	Unicorn-15395.exe
2876	Unicorn-15395.exe
2736	Unicorn-15758.exe
2840	Unicorn-2759.exe
2040	Unicorn-49500.exe
2792	Unicorn-3828.exe
2676	Unicorn-47876.exe
3028	Unicorn-57113.exe
2680	Unicorn-41139.exe
1084	Unicorn-36309.exe
1692	Unicorn-4980.exe
1968	Unicorn-25379.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2096	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	30
PID 2572 wrote to memory of 2096	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	30
PID 2572 wrote to memory of 2096	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	30
PID 2572 wrote to memory of 2096	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	30
PID 2096 wrote to memory of 2392	2096	Unicorn-41695.exe	31
PID 2096 wrote to memory of 2392	2096	Unicorn-41695.exe	31
PID 2096 wrote to memory of 2392	2096	Unicorn-41695.exe	31
PID 2096 wrote to memory of 2392	2096	Unicorn-41695.exe	31
PID 2572 wrote to memory of 2692	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	32
PID 2572 wrote to memory of 2692	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	32
PID 2572 wrote to memory of 2692	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	32
PID 2572 wrote to memory of 2692	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	32
PID 2572 wrote to memory of 2760	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	33
PID 2572 wrote to memory of 2760	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	33
PID 2572 wrote to memory of 2760	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	33
PID 2572 wrote to memory of 2760	2572	d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe	33
PID 2392 wrote to memory of 2956	2392	Unicorn-28504.exe	34
PID 2392 wrote to memory of 2956	2392	Unicorn-28504.exe	34
PID 2392 wrote to memory of 2956	2392	Unicorn-28504.exe	34
PID 2392 wrote to memory of 2956	2392	Unicorn-28504.exe	34
PID 2096 wrote to memory of 2944	2096	Unicorn-41695.exe	35
PID 2096 wrote to memory of 2944	2096	Unicorn-41695.exe	35
PID 2096 wrote to memory of 2944	2096	Unicorn-41695.exe	35
PID 2096 wrote to memory of 2944	2096	Unicorn-41695.exe	35
PID 2692 wrote to memory of 2852	2692	Unicorn-470.exe	36
PID 2692 wrote to memory of 2852	2692	Unicorn-470.exe	36
PID 2692 wrote to memory of 2852	2692	Unicorn-470.exe	36
PID 2692 wrote to memory of 2852	2692	Unicorn-470.exe	36
PID 2096 wrote to memory of 2652	2096	Unicorn-41695.exe	37
PID 2096 wrote to memory of 2652	2096	Unicorn-41695.exe	37
PID 2096 wrote to memory of 2652	2096	Unicorn-41695.exe	37
PID 2096 wrote to memory of 2652	2096	Unicorn-41695.exe	37
PID 2956 wrote to memory of 2732	2956	Unicorn-45006.exe	38
PID 2956 wrote to memory of 2732	2956	Unicorn-45006.exe	38
PID 2956 wrote to memory of 2732	2956	Unicorn-45006.exe	38
PID 2956 wrote to memory of 2732	2956	Unicorn-45006.exe	38
PID 2392 wrote to memory of 3032	2392	Unicorn-28504.exe	39
PID 2392 wrote to memory of 3032	2392	Unicorn-28504.exe	39
PID 2392 wrote to memory of 3032	2392	Unicorn-28504.exe	39
PID 2392 wrote to memory of 3032	2392	Unicorn-28504.exe	39
PID 2944 wrote to memory of 1644	2944	Unicorn-12888.exe	40
PID 2944 wrote to memory of 1644	2944	Unicorn-12888.exe	40
PID 2944 wrote to memory of 1644	2944	Unicorn-12888.exe	40
PID 2944 wrote to memory of 1644	2944	Unicorn-12888.exe	40
PID 2692 wrote to memory of 1504	2692	Unicorn-470.exe	41
PID 2692 wrote to memory of 1504	2692	Unicorn-470.exe	41
PID 2692 wrote to memory of 1504	2692	Unicorn-470.exe	41
PID 2692 wrote to memory of 1504	2692	Unicorn-470.exe	41
PID 2392 wrote to memory of 1660	2392	Unicorn-28504.exe	43
PID 2392 wrote to memory of 1660	2392	Unicorn-28504.exe	43
PID 2392 wrote to memory of 1660	2392	Unicorn-28504.exe	43
PID 2392 wrote to memory of 1660	2392	Unicorn-28504.exe	43
PID 2692 wrote to memory of 1996	2692	Unicorn-470.exe	44
PID 2692 wrote to memory of 1996	2692	Unicorn-470.exe	44
PID 2692 wrote to memory of 1996	2692	Unicorn-470.exe	44
PID 2692 wrote to memory of 1996	2692	Unicorn-470.exe	44
PID 2732 wrote to memory of 1028	2732	Unicorn-36091.exe	45
PID 2732 wrote to memory of 1028	2732	Unicorn-36091.exe	45
PID 2732 wrote to memory of 1028	2732	Unicorn-36091.exe	45
PID 2732 wrote to memory of 1028	2732	Unicorn-36091.exe	45
PID 2956 wrote to memory of 1356	2956	Unicorn-45006.exe	46
PID 2956 wrote to memory of 1356	2956	Unicorn-45006.exe	46
PID 2956 wrote to memory of 1356	2956	Unicorn-45006.exe	46
PID 2956 wrote to memory of 1356	2956	Unicorn-45006.exe	46

C:\Users\Admin\AppData\Local\Temp\d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe
"C:\Users\Admin\AppData\Local\Temp\d0d1de1b099ed27ffac9b672f9542e95da526ef38796220a5278fdc0291c8805.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\Unicorn-41695.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-41695.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28504.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28504.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45006.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45006.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36091.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36091.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35188.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63065.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 240
        8⤵
        Program crash
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16085.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16085.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43216.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43216.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15237.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15237.exe
        9⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25871.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25871.exe
        10⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24963.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24963.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31225.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31225.exe
        12⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 236
        12⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 216
        11⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 216
        10⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 216
        9⤵
        Program crash
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62061.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62061.exe
        8⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55227.exe
        9⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1356.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1356.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61012.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61012.exe
        11⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 216
        11⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 216
        10⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 236
        9⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 240
        8⤵
        Program crash
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 240
        7⤵
        Program crash
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35908.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35908.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35951.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35951.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30580.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27874.exe
        9⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54651.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54651.exe
        10⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10271.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10271.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19980.exe
        12⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 216
        12⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 216
        11⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 236
        10⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 236
        9⤵
        Program crash
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52933.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52933.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29571.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29571.exe
        9⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23448.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62823.exe
        11⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 216
        11⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 216
        10⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 236
        9⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 240
        8⤵
        Program crash
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 236
        7⤵
        Program crash
        
        PID:2584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 240
        6⤵
        Program crash
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3070.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3070.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63942.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63942.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13283.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18061.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18061.exe
        8⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11594.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11594.exe
        9⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33676.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33676.exe
        10⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7163.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57841.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 236
        12⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 216
        11⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 236
        10⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 236
        9⤵
        Program crash
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7873.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7873.exe
        8⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29208.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29208.exe
        9⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61932.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61932.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55584.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55584.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 216
        11⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 236
        10⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 216
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 240
        8⤵
        Program crash
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22507.exe
        7⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15866.exe
        8⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5274.exe
        9⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 200
        10⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 236
        9⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 216
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 240
        7⤵
        Program crash
        
        PID:3280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 236
        6⤵
        Program crash
        
        PID:2316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57066.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57066.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6407.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6407.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3833.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3833.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59879.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47876.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14718.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61688.exe
        10⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        11⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60820.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60820.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 216
        12⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 216
        11⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 216
        10⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 236
        9⤵
        Program crash
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 216
        8⤵
        Program crash
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41139.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41139.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3234.exe
        8⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9171.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9171.exe
        9⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        10⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40592.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40592.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 216
        11⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 236
        10⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 216
        9⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 236
        8⤵
        Program crash
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 240
        7⤵
        Program crash
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20937.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20937.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36309.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55367.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55367.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25892.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25892.exe
        9⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35164.exe
        11⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 236
        11⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 236
        10⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 216
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 236
        8⤵
        Program crash
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 236
        7⤵
        Program crash
        
        PID:2888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 240
        6⤵
        Program crash
        
        PID:444
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29084.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31134.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31134.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5590.exe
        7⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53582.exe
        8⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45212.exe
        9⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24266.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 236
        10⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 216
        9⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 236
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 236
        7⤵
        Program crash
        
        PID:3356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 236
        6⤵
        Program crash
        
        PID:1032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 240
        5⤵
        Program crash
        
        PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1660
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12888.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12888.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64679.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64679.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34996.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34996.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48950.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31483.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31483.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49905.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49905.exe
        8⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21216.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21216.exe
        9⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51719.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51719.exe
        10⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31424.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31424.exe
        11⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62823.exe
        12⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 216
        12⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 236
        11⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 216
        10⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 236
        9⤵
        Program crash
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 236
        8⤵
        Program crash
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25379.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25379.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60048.exe
        8⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6405.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6405.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30732.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30732.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 236
        10⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 216
        9⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 236
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 240
        7⤵
        Program crash
        
        PID:1012
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7533.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7533.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57113.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57113.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55751.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22171.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22171.exe
        9⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2835.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2835.exe
        10⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29767.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 236
        11⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 216
        10⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 216
        9⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 236
        8⤵
        Program crash
        
        PID:3656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 236
        7⤵
        Program crash
        
        PID:2608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 240
        6⤵
        Program crash
        
        PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12556.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12556.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43543.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43543.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15395.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60769.exe
        8⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12902.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12902.exe
        9⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8640.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8640.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 236
        10⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 236
        9⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 236
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 236
        7⤵
        Program crash
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15758.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15758.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9923.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9923.exe
        7⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3421.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3421.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42066.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42066.exe
        9⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57644.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57644.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 236
        10⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 236
        9⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 216
        8⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16228.exe
        7⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48144.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48144.exe
        8⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16591.exe
        9⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 216
        9⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 216
        8⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 240
        7⤵
        
        PID:4168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 220
        6⤵
        Program crash
        
        PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 240
        5⤵
        Program crash
        
        PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2878.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2878.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:496
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16278.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16278.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60455.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60455.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6267.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6267.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44402.exe
        8⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12502.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12502.exe
        9⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20879.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34790.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34790.exe
        11⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 236
        11⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 236
        10⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 216
        9⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 216
        8⤵
        Program crash
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52933.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52933.exe
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 240
        7⤵
        Program crash
        
        PID:784
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27242.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11153.exe
        7⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5066.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5066.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9358.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9358.exe
        9⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11245.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11245.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 236
        10⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 216
        9⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 216
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 236
        7⤵
        Program crash
        
        PID:3432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 240
        6⤵
        Program crash
        
        PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44482.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44482.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15395.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9674.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3395.exe
        8⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53567.exe
        9⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23156.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23156.exe
        10⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 216
        10⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 216
        9⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 236
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 216
        7⤵
        Program crash
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40161.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40161.exe
        6⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 220
        7⤵
        Program crash
        
        PID:3600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 240
        6⤵
        Program crash
        
        PID:3856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 240
        5⤵
        Program crash
        
        PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 220
      4⤵
      Loads dropped DLL
      Program crash
      PID:1340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\Unicorn-470.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-470.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28670.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28670.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56355.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56355.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15208.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15208.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11254.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11254.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38748.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38748.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37578.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37578.exe
        8⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28310.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28310.exe
        9⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58751.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26430.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26430.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 236
        11⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 216
        10⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 216
        9⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 236
        8⤵
        Program crash
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40161.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40161.exe
        7⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 240
        8⤵
        Program crash
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 240
        7⤵
        Program crash
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51555.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51555.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        7⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15154.exe
        8⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28684.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28684.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29772.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29772.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 216
        10⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 236
        9⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 216
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 236
        7⤵
        Program crash
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 240
        6⤵
        Program crash
        
        PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28145.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28145.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3828.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3828.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4879.exe
        7⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27786.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27786.exe
        8⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40737.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40737.exe
        9⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 236
        9⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 236
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 236
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 236
        6⤵
        Program crash
        
        PID:2532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 240
        5⤵
        Program crash
        
        PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:768
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28285.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28285.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22744.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22744.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:108
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32422.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32422.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14954.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14954.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2759.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2759.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        8⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60017.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60017.exe
        9⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27060.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27060.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17412.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17412.exe
        11⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 216
        10⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 236
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 216
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 236
        7⤵
        Program crash
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49500.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54080.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42783.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42783.exe
        8⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19940.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19940.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27328.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 236
        10⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 236
        9⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 216
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 216
        7⤵
        Program crash
        
        PID:3648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 220
        6⤵
        Program crash
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27761.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:864
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64596.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42020.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28632.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41875.exe
        9⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-280.exe
        10⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 236
        10⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 236
        9⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 236
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 236
        7⤵
        Program crash
        
        PID:3188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 236
        6⤵
        Program crash
        
        PID:1280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 240
        5⤵
        Program crash
        
        PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53397.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53397.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14954.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14954.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4980.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23847.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23847.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5087.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5087.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49291.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49291.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48900.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48900.exe
        10⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 236
        10⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 216
        9⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 216
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 216
        7⤵
        Program crash
        
        PID:3532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 236
        6⤵
        Program crash
        
        PID:892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33547.exe
        5⤵
        Executes dropped EXE
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60027.exe
        6⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53520.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7739.exe
        8⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40582.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 236
        9⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 216
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 236
        7⤵
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 236
        6⤵
        Program crash
        
        PID:4084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 240
        5⤵
        Program crash
        
        PID:2412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 240
      4⤵
      Program crash
      PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 240
  2⤵
  - Program crash
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-27060.exe

Filesize
192KB

MD5
46a33ef3e4063c15ae68c2b92197b92a

SHA1
9625becdb3e2568543d4019aa15090794fc9bbb2

SHA256
4453ac48d5d5aaa3cf56ccd52dade5d7eb5c04cb43c59d0c538affac178b912b

SHA512
ad9c3840f1b22e53e3375900e1f37f70a6ffcede0119d415e64b8547cbad0fb4a3ab2fa317d020f2e9650c7d60d3b16eb7bc7f89cf056c592d7c30012cd207de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6267.exe

Filesize
192KB

MD5
7c2fbc811aa0688de93249f7cc2ee3b0

SHA1
91ae588984500b97b8f9f0fd170a912ec29e13e0

SHA256
8bd16604740157b325fd881d44a079e9b68669a3ea5ad47b485835c32a317e27

SHA512
9f201462651d5a77b9991a0767a0d22f67e4c24ab8338d05beaf9beff3a8e11fed2f8a1a526e242422d72aa69d05d852d7e41e6178080464dedef333cec8290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6407.exe

Filesize
192KB

MD5
28f5a549d320a9694a8c7fa7fb546009

SHA1
ee164cf0a346c9b5609298066fa61f9b3468d2eb

SHA256
360195389080c75a99b135d40bc910bc0aabcab91e39e7696f974555f249da75

SHA512
421bf2127c6a7915ab4a8c02cae08c29a8a85061a01126673fb63eba616e1254cac52df3de38bb4420034c562e81831adb31218e97439f6c9a1afa39a18a7908

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-64679.exe

Filesize
192KB

MD5
37251b0559def1a6ddf337802c29b17d

SHA1
cf494a666d124ef48111ade3a7b40c1c5391d01d

SHA256
7ccec9afbaeb90e81514a528ff7463702b2c0c5bdf64d199542dac6cc2dc59f5

SHA512
6345ce7f0cf5bb6e69df56b2065d5bcdb00687f99c9a992c48af6061c225898f38c2d501321e0dd59e8e447f1bbc1c646ff3a9b9a310f9164869b4758a3b7d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-9923.exe

Filesize
192KB

MD5
0ffbb61045de23efeeaff7c186726928

SHA1
7b4cb7f37a7bde3587d2f7df207f9d366668127a

SHA256
2932020f78975f74fdf0d0e953347addcf13a4d2cbe1d0fdad569502f9880f1a

SHA512
78a382cfef26e06eb4e2d89437f96f7eccca875889ddb0410e0a5d1338f04780c826fca39677dac527ecd857e9464f66161ef128a889f530a66202b18f206801

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-12888.exe

Filesize
192KB

MD5
7628dfa55563103a9ad0422d3331fc3c

SHA1
987876bebc265313e7e712c4b7c06b29951b4c8f

SHA256
81b102f66c3f2f8a956533d7ae46b6e4b761cdcec8f52a90f5aaa74bdce5aaee

SHA512
7c003425e6deb1ba81979669646ab049c305d9977d977b6f88166194b51f2231f4b0663ca0cb427d918fd899e1b9b8122c5f410898de15370feac0ef6a28d65c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-28285.exe

Filesize
192KB

MD5
4178c574d2bd1bfa154a3c104b8d21b6

SHA1
026ab9b040e876e30caba3f024a8fabf117a2f93

SHA256
9e12a1fa8a56c61e30130ea0c317a36cdb62633253003576616a68027a73947b

SHA512
01b146dcf5e151174543576ece70c24282af4b7125115156dc82a287bb74be5e90ee493e8bfe747d25fd4373b0a8bbc9539ecd12860a588c5b4fc620587429dd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-28504.exe

Filesize
192KB

MD5
c161b02a7ac74c2c41b22ca87642c005

SHA1
ec37f89c950c30c08bce3c6da1682bd822df2516

SHA256
26234245a228ff19b62b9d526982f6cb7f3dec9d6185203a17cbfb7dbf5516c7

SHA512
5a3ec788644b28a51214d721ecaee27614c44dcb16666f4fce60b5b49cef98130ee9947db6bcb9f45675ab07cbd2c7e11344c9935e0270c2cffc4340d55173d7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-28670.exe

Filesize
192KB

MD5
b6e63716eb7fb80e09956597a1372c63

SHA1
4dee95eebea2d39cac0c0ee0d6cf1d17c5ffb144

SHA256
37ddd06d5929adc829284a64ca234ce8a18cdcca35b107ac0edbb5395dba98fe

SHA512
2def03d27d4816a71978480efe767c9d2c8d1cae66b88a2171a45ca3f7376a6c5dc8cb844630c77e641eb99b634898c5896d02c2a29de810da9d0fb4c1201955

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-3070.exe

Filesize
192KB

MD5
75d7e611b9494a4229c13118479a2efc

SHA1
7529f3024a0b5bb2e150c3f24196e3d144f2b257

SHA256
fcfc4ee14fd52afa6826159af2d9d669d3edeb4cf87e57d166f926267fcb89c1

SHA512
4378817f25a42fb6cfdfd21d6994e5f0c5cad0ca630b58fefe596d7a3709b7edc8356a16c72efbfed969b348667ca408caa6a8b786e54647f7ba3ca5ea75320a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-35188.exe

Filesize
192KB

MD5
b7f37e856aabe3efadcda0986a9b5d06

SHA1
9577a54bd1ac6e6430c6252720772af98a73b15b

SHA256
79bf2af3ee091f80f642a2eb21ed3e3f2ebb78cb1cb066580be5471f552548fa

SHA512
c89415126380069407484808a756cd1e67c2c3efbcd90e11981902797c76bc8bf85fcf947a3b02fad2ac9c4b17101789631a06351adba7fd84583bd17c1324ab

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-36091.exe

Filesize
192KB

MD5
31cececd14348e294b527133ee0189ee

SHA1
af23edb61c93dfbce407f19682f89f64967b8556

SHA256
9faaf9304853a4c3d51770b78d07fddb0ace59deb7ec9d316b8e9183f1dd9874

SHA512
d79d78a37e4b7d3d153dc3fa353229e1d879c3a73e174e98b3543c9ea25536d0cc21c3b0ab0311e24a514bc4beed93a68cb1aede7140615178f6b05eab26c494

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-41695.exe

Filesize
192KB

MD5
e542f8f7bc233bed327f959406894ec9

SHA1
f6b96bf43c8ce6e50f410655f8de30f0663fb66a

SHA256
8da19448c08df20423526a18b3720c46a1d8f1752383e4fa297c1ac7b57b85c5

SHA512
7106009f38424b7537b8c9ac59816eedb5d7f3045a2cefbc888926f8192458f984ef03708ec56bb1c0430d790aa9f2b525dc86cfa3431aabe9863ad873c9a948

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-45006.exe

Filesize
192KB

MD5
4f9cc7a3edfd29ae7da6da50f8fc27f6

SHA1
7054da27081176913fa98c25b884ba49aed59ee1

SHA256
c214f867e6cfa26d195fbe31395a352804aa861c43537d2a9ce55e7d8723711f

SHA512
cd405558802ad3447f8662f15c8641c59dd8a5ade109359b5ab64e22fc209ba677f160e46f528850a8c67eb92f003a353fb5279747649375e9ed1c4ec88b4f94

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-470.exe

Filesize
192KB

MD5
cf096fa84e40995cf999c2285e344ef0

SHA1
0e7ac7567af36e118e7938e16e74ebabb0ba257d

SHA256
c727292f9422d7be88e455b1600905f6fe33f99301028389d29a98b5cc5a99e4

SHA512
f9780bb1f765cfb06c6193d09ff55effedbcba24665fde34972d5b58f06d35433254cb318128554718cd2dc1fdfb1d086229f9a36cc15fa33b5cf8412a50cda8

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57066.exe

Filesize
192KB

MD5
fc568ea227e28458dbf7ec2d843e90a5

SHA1
8ad3f96f58dad68dc1b811fa87e339365fbc96b2

SHA256
cba0d07d311020a2a2135586186044feda5d45ae86406a0c8d41dcafc323f797

SHA512
f084166acc57fb51ebc964a800f309bbb8302c67deb2631d0f56cc1029c3db475b5970c9b4643d052044444350568836c1009b29b612714d4b4f2c81249a4271

Download Submit