25e5680808f5e58a8c3f5adb64d8d9c9d9fc90c5bc3d112e4425d775ea105ac8

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
Size

192KB
MD5

852124ffb333b4dddf45a682bccd9ca4
SHA1

6851bdc3ce30c6bb9486bb6f96092ebd53052dc5
SHA256

752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de
SHA512

983179e9d5e2c605c1c686b5f8f33940b966451d9d0747b022461807ee4191ee38a5fc9ff13fa2087c023a399e5ee974eeb000299e386b12da2da77ff024b458
SSDEEP

3072:qW/+o0uwxjtYcdf2Y/mCzJZwSc2MD46mgbxv78Yl9lTvpFj:qWWouJYcMYuCzJsvHT9lTvpF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2760	Unicorn-22034.exe
2548	Unicorn-61779.exe
828	Unicorn-45998.exe
2592	Unicorn-456.exe
2160	Unicorn-40974.exe
2136	Unicorn-57825.exe
2896	Unicorn-40970.exe
544	Unicorn-24442.exe
1396	Unicorn-53777.exe
2956	Unicorn-34316.exe
2424	Unicorn-11997.exe
2240	Unicorn-31863.exe
2076	Unicorn-41737.exe
704	Unicorn-24655.exe
1780	Unicorn-36907.exe
2432	Unicorn-12402.exe
928	Unicorn-41929.exe
1504	Unicorn-56725.exe
2984	Unicorn-25013.exe
1688	Unicorn-36750.exe
980	Unicorn-28028.exe
1876	Unicorn-3715.exe
892	Unicorn-56808.exe
1772	Unicorn-42095.exe
1600	Unicorn-29843.exe
2092	Unicorn-57877.exe
2772	Unicorn-28713.exe
2676	Unicorn-21099.exe
2616	Unicorn-36554.exe
2372	Unicorn-45277.exe
1440	Unicorn-3689.exe
2908	Unicorn-41384.exe
2884	Unicorn-44914.exe
1616	Unicorn-53637.exe
2332	Unicorn-60674.exe
2172	Unicorn-11473.exe
2192	Unicorn-8136.exe
1172	Unicorn-11665.exe
1784	Unicorn-20950.exe
1532	Unicorn-17612.exe
2912	Unicorn-37478.exe
880	Unicorn-33394.exe
2496	Unicorn-46201.exe
2624	Unicorn-23363.exe
1524	Unicorn-28385.exe
2916	Unicorn-10726.exe
2272	Unicorn-48422.exe
2964	Unicorn-20793.exe
2436	Unicorn-32299.exe
1188	Unicorn-38390.exe
1304	Unicorn-20239.exe
2344	Unicorn-45236.exe
1840	Unicorn-45236.exe
2516	Unicorn-53788.exe
1308	Unicorn-33922.exe
672	Unicorn-33922.exe
1884	Unicorn-9631.exe
1260	Unicorn-42304.exe
1680	Unicorn-42304.exe
1344	Unicorn-43242.exe
2120	Unicorn-5163.exe
2848	Unicorn-38582.exe
2528	Unicorn-21500.exe
2348	Unicorn-58640.exe

Loads dropped DLL 64 IoCs

pid	Process
2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
2760	Unicorn-22034.exe
2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
2760	Unicorn-22034.exe
2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
2548	Unicorn-61779.exe
2548	Unicorn-61779.exe
2760	Unicorn-22034.exe
2760	Unicorn-22034.exe
828	Unicorn-45998.exe
828	Unicorn-45998.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2160	Unicorn-40974.exe
2160	Unicorn-40974.exe
2592	Unicorn-456.exe
2592	Unicorn-456.exe
828	Unicorn-45998.exe
828	Unicorn-45998.exe
2548	Unicorn-61779.exe
2548	Unicorn-61779.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
2896	Unicorn-40970.exe
2136	Unicorn-57825.exe
2896	Unicorn-40970.exe
2136	Unicorn-57825.exe
2160	Unicorn-40974.exe
2160	Unicorn-40974.exe
1396	Unicorn-53777.exe
1396	Unicorn-53777.exe
2956	Unicorn-34316.exe
2956	Unicorn-34316.exe
544	Unicorn-24442.exe
544	Unicorn-24442.exe
2592	Unicorn-456.exe
2592	Unicorn-456.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1452	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2828	2688	WerFault.exe	29
2924	2760	WerFault.exe	30
496	2548	WerFault.exe	31
1560	828	WerFault.exe	32
1452	2160	WerFault.exe	35
1648	2592	WerFault.exe	34
632	2136	WerFault.exe	36
2540	2896	WerFault.exe	38
2116	1396	WerFault.exe	40
2104	544	WerFault.exe	39
2960	2956	WerFault.exe	41
2476	2424	WerFault.exe	44
2252	2240	WerFault.exe	45
380	2076	WerFault.exe	46
2748	704	WerFault.exe	47
2744	1780	WerFault.exe	48
2856	2432	WerFault.exe	49
1824	928	WerFault.exe	50
944	1504	WerFault.exe	54
3052	980	WerFault.exe	57
2184	1688	WerFault.exe	56
2276	892	WerFault.exe	59
1420	2676	WerFault.exe	64
2140	1600	WerFault.exe	61
3368	880	WerFault.exe	83
3376	1784	WerFault.exe	80
3432	2496	WerFault.exe	84
3648	2912	WerFault.exe	82
3672	2372	WerFault.exe	68
3768	1876	WerFault.exe	58
3812	2192	WerFault.exe	78
3836	1772	WerFault.exe	60
3880	2260	WerFault.exe	77
3936	1440	WerFault.exe	71
3968	2984	WerFault.exe	55
3100	1532	WerFault.exe	81
3268	2772	WerFault.exe	63
3480	2092	WerFault.exe	62
3576	1840	WerFault.exe	101
3700	2884	WerFault.exe	73
3080	1524	WerFault.exe	89
3616	2916	WerFault.exe	94
3112	1188	WerFault.exe	98
3460	2616	WerFault.exe	66
3680	2332	WerFault.exe	75
3976	2436	WerFault.exe	97
4164	2272	WerFault.exe	95
4216	2964	WerFault.exe	96
4308	2348	WerFault.exe	113
4368	2848	WerFault.exe	110
4376	984	WerFault.exe	116
4424	1616	WerFault.exe	74
4528	2172	WerFault.exe	76
4732	2528	WerFault.exe	111
4836	1912	WerFault.exe	112
4848	1172	WerFault.exe	79
4876	1884	WerFault.exe	105
4908	1304	WerFault.exe	99
4584	2624	WerFault.exe	87
4792	672	WerFault.exe	103
4984	1260	WerFault.exe	107
5072	1512	WerFault.exe	128
3584	3040	WerFault.exe	123
4188	832	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49012.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29831.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22152.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5274.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42304.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52587.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55348.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54580.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53788.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5583.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61897.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28743.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23398.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16791.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56782.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15114.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42304.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41571.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28028.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21949.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42411.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33922.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35011.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
2760	Unicorn-22034.exe
2548	Unicorn-61779.exe
828	Unicorn-45998.exe
2160	Unicorn-40974.exe
2592	Unicorn-456.exe
2136	Unicorn-57825.exe
2896	Unicorn-40970.exe
544	Unicorn-24442.exe
1396	Unicorn-53777.exe
2956	Unicorn-34316.exe
2424	Unicorn-11997.exe
2240	Unicorn-31863.exe
2076	Unicorn-41737.exe
704	Unicorn-24655.exe
1780	Unicorn-36907.exe
2432	Unicorn-12402.exe
928	Unicorn-41929.exe
1504	Unicorn-56725.exe
2984	Unicorn-25013.exe
980	Unicorn-28028.exe
1688	Unicorn-36750.exe
1876	Unicorn-3715.exe
1772	Unicorn-42095.exe
892	Unicorn-56808.exe
2092	Unicorn-57877.exe
2772	Unicorn-28713.exe
2676	Unicorn-21099.exe
2616	Unicorn-36554.exe
1440	Unicorn-3689.exe
2372	Unicorn-45277.exe
2908	Unicorn-41384.exe
2884	Unicorn-44914.exe
1616	Unicorn-53637.exe
2332	Unicorn-60674.exe
2172	Unicorn-11473.exe
2260	Unicorn-56782.exe
1172	Unicorn-11665.exe
2192	Unicorn-8136.exe
1784	Unicorn-20950.exe
1532	Unicorn-17612.exe
2912	Unicorn-37478.exe
880	Unicorn-33394.exe
2496	Unicorn-46201.exe
2624	Unicorn-23363.exe
1524	Unicorn-28385.exe
2916	Unicorn-10726.exe
2272	Unicorn-48422.exe
2964	Unicorn-20793.exe
2436	Unicorn-32299.exe
1188	Unicorn-38390.exe
1304	Unicorn-20239.exe
2344	Unicorn-45236.exe
1840	Unicorn-45236.exe
2516	Unicorn-53788.exe
1308	Unicorn-33922.exe
672	Unicorn-33922.exe
1884	Unicorn-9631.exe
1260	Unicorn-42304.exe
1680	Unicorn-42304.exe
1344	Unicorn-43242.exe
2528	Unicorn-21500.exe
2120	Unicorn-5163.exe
2848	Unicorn-38582.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2760	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	30
PID 2688 wrote to memory of 2760	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	30
PID 2688 wrote to memory of 2760	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	30
PID 2688 wrote to memory of 2760	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	30
PID 2760 wrote to memory of 2548	2760	Unicorn-22034.exe	31
PID 2760 wrote to memory of 2548	2760	Unicorn-22034.exe	31
PID 2760 wrote to memory of 2548	2760	Unicorn-22034.exe	31
PID 2760 wrote to memory of 2548	2760	Unicorn-22034.exe	31
PID 2688 wrote to memory of 828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	32
PID 2688 wrote to memory of 828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	32
PID 2688 wrote to memory of 828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	32
PID 2688 wrote to memory of 828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	32
PID 2688 wrote to memory of 2828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	33
PID 2688 wrote to memory of 2828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	33
PID 2688 wrote to memory of 2828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	33
PID 2688 wrote to memory of 2828	2688	752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe	33
PID 2548 wrote to memory of 2592	2548	Unicorn-61779.exe	34
PID 2548 wrote to memory of 2592	2548	Unicorn-61779.exe	34
PID 2548 wrote to memory of 2592	2548	Unicorn-61779.exe	34
PID 2548 wrote to memory of 2592	2548	Unicorn-61779.exe	34
PID 2760 wrote to memory of 2160	2760	Unicorn-22034.exe	35
PID 2760 wrote to memory of 2160	2760	Unicorn-22034.exe	35
PID 2760 wrote to memory of 2160	2760	Unicorn-22034.exe	35
PID 2760 wrote to memory of 2160	2760	Unicorn-22034.exe	35
PID 828 wrote to memory of 2136	828	Unicorn-45998.exe	36
PID 828 wrote to memory of 2136	828	Unicorn-45998.exe	36
PID 828 wrote to memory of 2136	828	Unicorn-45998.exe	36
PID 828 wrote to memory of 2136	828	Unicorn-45998.exe	36
PID 2760 wrote to memory of 2924	2760	Unicorn-22034.exe	37
PID 2760 wrote to memory of 2924	2760	Unicorn-22034.exe	37
PID 2760 wrote to memory of 2924	2760	Unicorn-22034.exe	37
PID 2760 wrote to memory of 2924	2760	Unicorn-22034.exe	37
PID 2160 wrote to memory of 2896	2160	Unicorn-40974.exe	38
PID 2160 wrote to memory of 2896	2160	Unicorn-40974.exe	38
PID 2160 wrote to memory of 2896	2160	Unicorn-40974.exe	38
PID 2160 wrote to memory of 2896	2160	Unicorn-40974.exe	38
PID 2592 wrote to memory of 544	2592	Unicorn-456.exe	39
PID 2592 wrote to memory of 544	2592	Unicorn-456.exe	39
PID 2592 wrote to memory of 544	2592	Unicorn-456.exe	39
PID 2592 wrote to memory of 544	2592	Unicorn-456.exe	39
PID 828 wrote to memory of 1396	828	Unicorn-45998.exe	40
PID 828 wrote to memory of 1396	828	Unicorn-45998.exe	40
PID 828 wrote to memory of 1396	828	Unicorn-45998.exe	40
PID 828 wrote to memory of 1396	828	Unicorn-45998.exe	40
PID 2548 wrote to memory of 2956	2548	Unicorn-61779.exe	41
PID 2548 wrote to memory of 2956	2548	Unicorn-61779.exe	41
PID 2548 wrote to memory of 2956	2548	Unicorn-61779.exe	41
PID 2548 wrote to memory of 2956	2548	Unicorn-61779.exe	41
PID 2548 wrote to memory of 496	2548	Unicorn-61779.exe	42
PID 2548 wrote to memory of 496	2548	Unicorn-61779.exe	42
PID 2548 wrote to memory of 496	2548	Unicorn-61779.exe	42
PID 2548 wrote to memory of 496	2548	Unicorn-61779.exe	42
PID 828 wrote to memory of 1560	828	Unicorn-45998.exe	43
PID 828 wrote to memory of 1560	828	Unicorn-45998.exe	43
PID 828 wrote to memory of 1560	828	Unicorn-45998.exe	43
PID 828 wrote to memory of 1560	828	Unicorn-45998.exe	43
PID 2136 wrote to memory of 2424	2136	Unicorn-57825.exe	44
PID 2136 wrote to memory of 2424	2136	Unicorn-57825.exe	44
PID 2136 wrote to memory of 2424	2136	Unicorn-57825.exe	44
PID 2136 wrote to memory of 2424	2136	Unicorn-57825.exe	44
PID 2896 wrote to memory of 2240	2896	Unicorn-40970.exe	45
PID 2896 wrote to memory of 2240	2896	Unicorn-40970.exe	45
PID 2896 wrote to memory of 2240	2896	Unicorn-40970.exe	45
PID 2896 wrote to memory of 2240	2896	Unicorn-40970.exe	45

C:\Users\Admin\AppData\Local\Temp\752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe
"C:\Users\Admin\AppData\Local\Temp\752ed4fe742463d95fc36d433929230362bed83327f2f54fd33ec3bdd7a922de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22034.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22034.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61779.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61779.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-456.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-456.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24442.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12402.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57877.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11473.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51240.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51240.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40475.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40475.exe
        10⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32634.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32634.exe
        11⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46879.exe
        12⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5274.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 384
        13⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 376
        12⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 376
        11⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 376
        10⤵
        Program crash
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58134.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58134.exe
        9⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37678.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37678.exe
        10⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7631.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50164.exe
        12⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 384
        12⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 376
        11⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 376
        10⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 376
        9⤵
        Program crash
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23398.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24492.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24492.exe
        9⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21057.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21057.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        11⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 380
        11⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 372
        10⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 376
        9⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 376
        8⤵
        Program crash
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8136.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8136.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53788.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52073.exe
        9⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15114.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15114.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55016.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55016.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 380
        11⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 372
        10⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 376
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 376
        8⤵
        Program crash
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 376
        7⤵
        Program crash
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21099.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21099.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37478.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37478.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42304.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42304.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55197.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19116.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19116.exe
        10⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49012.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49012.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 380
        11⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 376
        10⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 376
        9⤵
        Program crash
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 376
        8⤵
        Program crash
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38582.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57714.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57714.exe
        9⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26952.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26952.exe
        10⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52518.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52518.exe
        11⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 364
        11⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 376
        10⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 376
        9⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 376
        8⤵
        Program crash
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 376
        7⤵
        Program crash
        
        PID:1420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 376
        6⤵
        Program crash
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41929.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28713.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28713.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33394.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33394.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21500.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17014.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17014.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50122.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50122.exe
        10⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55623.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55623.exe
        11⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48559.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48559.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 384
        12⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 380
        11⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 376
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 376
        9⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 376
        8⤵
        Program crash
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9994.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9994.exe
        7⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44336.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44336.exe
        8⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36817.exe
        9⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        10⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 380
        10⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 376
        9⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 376
        8⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 376
        7⤵
        Program crash
        
        PID:3268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46201.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58640.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58640.exe
        7⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25374.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25374.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61606.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58280.exe
        10⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6384.exe
        11⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 372
        11⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 376
        10⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 376
        9⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 376
        8⤵
        Program crash
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 376
        7⤵
        Program crash
        
        PID:3432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 376
        6⤵
        Program crash
        
        PID:1824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 376
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34316.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34316.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36907.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56808.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56808.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20793.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41051.exe
        8⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31674.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40003.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40003.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22152.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22152.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 380
        11⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 376
        10⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 376
        9⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 376
        8⤵
        Program crash
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 376
        7⤵
        Program crash
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17612.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42304.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42304.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23724.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45177.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45177.exe
        9⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39303.exe
        10⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 380
        10⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 376
        9⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 376
        8⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 376
        7⤵
        Program crash
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 372
        6⤵
        Program crash
        
        PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29843.exe
        5⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56782.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56782.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5163.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27377.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27377.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64014.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64014.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37227.exe
        10⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 372
        10⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 376
        9⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 376
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 368
        7⤵
        Program crash
        
        PID:3880
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63279.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63279.exe
        6⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48918.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48918.exe
        7⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21342.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21342.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35011.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17470.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17470.exe
        10⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 380
        10⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 380
        9⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 376
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 376
        7⤵
        Program crash
        
        PID:4836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 376
        6⤵
        Program crash
        
        PID:2140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 376
        5⤵
        Program crash
        
        PID:2960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:496
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-40974.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-40974.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40970.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40970.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31863.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31863.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25013.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25013.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3689.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3689.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45236.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45236.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14787.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6178.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6178.exe
        10⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53672.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53672.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 380
        11⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 376
        10⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 376
        9⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 376
        8⤵
        Program crash
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33922.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35400.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35400.exe
        8⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8529.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8529.exe
        9⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1586.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1586.exe
        10⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 384
        10⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 376
        9⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 376
        8⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 380
        7⤵
        Program crash
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41384.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 376
        6⤵
        Program crash
        
        PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36750.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36750.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60674.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32299.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52727.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52727.exe
        8⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8814.exe
        9⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9463.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9463.exe
        10⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55201.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 380
        11⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 376
        10⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 376
        9⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 376
        8⤵
        Program crash
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32477.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32477.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8814.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58856.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58856.exe
        9⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41571.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41571.exe
        10⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 384
        10⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 376
        9⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 376
        8⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 376
        7⤵
        Program crash
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38390.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38390.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25449.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16791.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11544.exe
        9⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26859.exe
        10⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 380
        10⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 376
        9⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 376
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 376
        7⤵
        Program crash
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 376
        6⤵
        Program crash
        
        PID:2184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 380
        5⤵
        Program crash
        
        PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41737.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41737.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28028.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28028.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44914.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32059.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10786.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10786.exe
        8⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61897.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61897.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59230.exe
        10⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 380
        10⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 376
        9⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 376
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 376
        7⤵
        Program crash
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48422.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48422.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12763.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12763.exe
        7⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8238.exe
        8⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62556.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62556.exe
        9⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34288.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34288.exe
        10⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 376
        10⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 376
        9⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 376
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 376
        7⤵
        Program crash
        
        PID:4164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 376
        6⤵
        Program crash
        
        PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53637.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20239.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        7⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        8⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43563.exe
        9⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11070.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11070.exe
        10⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 376
        10⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 380
        9⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 376
        8⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 376
        7⤵
        Program crash
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53557.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53557.exe
        6⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65306.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65306.exe
        7⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42411.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42411.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2918.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2918.exe
        9⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 384
        9⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 376
        8⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 376
        7⤵
        
        PID:5568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 368
        6⤵
        Program crash
        
        PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 376
        5⤵
        Program crash
        
        PID:380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 384
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\Unicorn-45998.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-45998.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57825.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57825.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11997.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11997.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56725.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56725.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36554.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36554.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23363.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16129.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16129.exe
        8⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35523.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35523.exe
        9⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64232.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64232.exe
        10⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54056.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54056.exe
        11⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 372
        11⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 376
        10⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 376
        9⤵
        Program crash
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25544.exe
        8⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13796.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13796.exe
        9⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40377.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40377.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 384
        10⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 376
        9⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 376
        8⤵
        Program crash
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5583.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16791.exe
        8⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37860.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37860.exe
        9⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8706.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8706.exe
        10⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 376
        10⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 376
        9⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 376
        8⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 376
        7⤵
        Program crash
        
        PID:3460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28385.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32273.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32273.exe
        7⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48887.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48887.exe
        8⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34160.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34160.exe
        9⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28743.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28743.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 376
        10⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 376
        9⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 376
        8⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 376
        7⤵
        Program crash
        
        PID:3080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 376
        6⤵
        Program crash
        
        PID:944
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45277.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45277.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10726.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10726.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25449.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19723.exe
        8⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23392.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23392.exe
        9⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16340.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 372
        10⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 376
        9⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 376
        8⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 376
        7⤵
        Program crash
        
        PID:3616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58292.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58292.exe
        6⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22333.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22333.exe
        7⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18924.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18924.exe
        8⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58524.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58524.exe
        9⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 380
        9⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 372
        8⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 376
        7⤵
        Program crash
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 376
        6⤵
        Program crash
        
        PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 360
        5⤵
        Program crash
        
        PID:2476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 380
      4⤵
      Program crash
      PID:632
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-53777.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-53777.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24655.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24655.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3715.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3715.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20950.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9631.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        8⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26843.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29831.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 376
        11⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 384
        10⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 376
        9⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 376
        8⤵
        Program crash
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 376
        7⤵
        Program crash
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43242.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21949.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21949.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52587.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54580.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41571.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41571.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 380
        10⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 376
        9⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 376
        8⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5285.exe
        7⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55348.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55348.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16299.exe
        9⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 380
        9⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 372
        8⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 376
        7⤵
        
        PID:6088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 380
        6⤵
        Program crash
        
        PID:3768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 376
        5⤵
        Program crash
        
        PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42095.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-42095.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11665.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45236.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45236.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7885.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47076.exe
        8⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41586.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41586.exe
        9⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5094.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 380
        10⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 376
        9⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 376
        8⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 376
        7⤵
        Program crash
        
        PID:3576
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53557.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53557.exe
        6⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21342.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21342.exe
        7⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26459.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29130.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29130.exe
        9⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 384
        9⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 380
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 376
        7⤵
        
        PID:5716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 376
        6⤵
        Program crash
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33922.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:672
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52073.exe
        6⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13303.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45120.exe
        8⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 384
        8⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 376
        7⤵
        
        PID:6588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 380
        6⤵
        Program crash
        
        PID:4792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 376
        5⤵
        Program crash
        
        PID:3836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 376
      4⤵
      Program crash
      PID:2116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 368
  2⤵
  - Program crash
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-24442.exe

Filesize
192KB

MD5
4cc215e7cea91e60c6ddd5e6ebd07d86

SHA1
f8fbbd8f23f4f92332651edbda4166376df1dc2b

SHA256
90e19823f749c1363f6585f901bad770face9067ecf5877736dad8baf2402f95

SHA512
ad619183f6c9a8313e914d3a82ae2ad9deb1acc82156e586ef84512278aeaa3c1af3950f95e92ce5e7926da966e7701f5a0a89b039e7f55cdc80f8455ddf05db

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11997.exe

Filesize
192KB

MD5
ebb54045d58b29b3c734a7734e8940cf

SHA1
42c5eea2f311f4176ddfb790dd0c3561828809dc

SHA256
f349f88dc39c940455df269cfd5c893fdcdd87c101d6cc5165ca189cabe6e0cb

SHA512
9c43b167169ad36e01a1017c487463823acd05de14cd3a9bf6e5615625adcf4d3b510482a8cfbeaa310af91dae76395ecbc5db4f669201432971f2a499d5f131

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-22034.exe

Filesize
192KB

MD5
089da63409fb5f207b4253fcaecf5865

SHA1
f7b4825523db25f83c3b16c0f813f73ae3c054ff

SHA256
74576027464591cfd680c435200810029ee68c88520660e97db067ae53190a80

SHA512
ad81282cd4788c8c3b635757607bdcd60b1e5dcb4f118f99246abcdfa993b25f18f4bc7d6e017e2443a2b6da8e65dbf0756cd98fc1b66074f25286268dba09b6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-31863.exe

Filesize
192KB

MD5
6dab891587cbe4790e5743081a06f16c

SHA1
8cf2e953aa6f29ea8eebaaf765db3e64fc4cad16

SHA256
43bfaff755d502a4887e69162d317329c30db50cfc311a22710c1455059dd694

SHA512
b616ef0a8ae45822767d4a9a85381fd512200caa80fc6a14520bee298f772c824013c1f7880e067298ab0c554ae8440b546303a0894070766f5d9ef2ca6bd931

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-34316.exe

Filesize
192KB

MD5
3f16855142047a835ee89a6b2b8d83de

SHA1
dc297f90b754e36911344983efdbc515818fbe2e

SHA256
829a8f53821ab2e40210829887d0d09459a0fc7e30ecdb4f71a42a7f77077221

SHA512
8d48d35405c651a5bc48703c22eef7bfd699de1c8fb20b528b20eadedfe419221eb7d407d17ad2c8907919e44f4158d065730b155c6ecb477b359351a2792ca9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-40970.exe

Filesize
192KB

MD5
328add8471a1f7f56f6a7f21b35cc41a

SHA1
b22d4d40dbeffdf0fd816d7016e19a5c387968ce

SHA256
936baaae4b6af7784fb283116acd1d5572bf619171cc90b69728b6a526b3dcb2

SHA512
2e963fff5c499a695a1f4a22328a447282b3d1b8dba8f72587d95f6c79e022d1f278d09ff796adf10891994148a389a48e4e4281f9ed073bd6beb78a15976d4d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-40974.exe

Filesize
192KB

MD5
e8830f752ce41d2d0f271b346bea02a9

SHA1
bdc1941820b65750c7fd9ebe1a8672ecd50b3d38

SHA256
861d064fd378af8d01258db526b0ee270a72fb7255634a088b76a37da707c9cb

SHA512
1da7eaef1050cd38c79953bcaa9f86d8c3133b395dc0d2655a429cd86bc20b277c23e6202e9ccfe1a1b0d85acb1798202498af4080ea3710275c723efe0f44a4

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-456.exe

Filesize
192KB

MD5
b3e8cc47743f4b9c81ae20c0391c9dcf

SHA1
a0a3f345372924bc6557024ed2f4c577516bc942

SHA256
f00464aca2b820d831e3cbc8fb41b03f1f596208514978140de7c88f6518c604

SHA512
cc4b1854c609245d2627dc8adb26e8039b1dec678f5679a629aa47fd394a91754fc7a82b9139d4267ae83054dd3fd3963259b1a01ba54a8aa4ab87612f279f67

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-45998.exe

Filesize
192KB

MD5
b55238d280300f51abf1061756d98b18

SHA1
7fbfa1e3ed81c9f5dedb9408b635f01c880a8777

SHA256
b2279ceee6ff6e07304ce57197cfe9980866ff2883db5f75f50ad020c8439919

SHA512
455a21c4eb9799664466cf4a123762a1c3e42bfdbedb988cef23b36ff657381f08e4666453dbf92aec153815d3cb5d3b5dbc62d88f7c7256a6516eae06e5fe02

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53777.exe

Filesize
192KB

MD5
d8454b002bb3f769ec15f36d7116276d

SHA1
537e91bd4dc69c00c88d9b4273e6342a21a7cbbf

SHA256
b086c456cc4768a7146b3b11e469cbace32d53ce7cf553f33ccf387f0c1a596b

SHA512
6f6b1c19bb4c1e817c850d88636ea0049a56b889420329084bf6c74f497b9ef8b5e5a23521b2485c81c450db02c3232990aea57852554785ddfbd6479e344670

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57825.exe

Filesize
192KB

MD5
607d347ceb4ca7f7613e51536298571d

SHA1
b432f40bfbc619b838235ddef945556b61ee2d61

SHA256
805005029918e61628837167e42f083e236979f3f21ce88f3690872b3fd558ac

SHA512
b6305382bae9bfbbb55812eef617bc869a7dfa6088c609c55cf6577f5e161297819dccac285374bfca0c8b14bc2eb09a192c27eaa2b3f9a30fbe4fb36d433e66

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-61779.exe

Filesize
192KB

MD5
59c05c5dc80aa2052317dcf407e8f857

SHA1
e86b7bd1f0605a258c7127e2657e39230b9f3c9d

SHA256
5121908654a9ad260d67e751028f602314806a759a06d7d61523d4cc93b8d1ca

SHA512
47043c2a3ca332224021265df84d8558dd9ddae3230156b0e44005a9f45f7c5422d1ef9e409d006c76565261e600abd622d1fd8e5936a622444791dc7a0c6347

Download Submit