dc4c4a64c4fad1bdce60302e19b29acd8a16d7270afe7349b1c1c23be229e31b

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
Size

192KB
MD5

23c9873652071303328e0dfffa7f348b
SHA1

b1a32c54adbe337af36c8caf61b1728d7ae04783
SHA256

5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b
SHA512

591b6ba69805ffbac787a92dbaf6c0a0f2be742a15ccfef6a6b34ed8dee3b431b0e3f814d891c4f0f4dbf9f945e33694adfe2d0de45093a8d988ecfda9eb0f0c
SSDEEP

3072:b/QYoGSZmwOXm3f/djjWsJZwa51M0X6HuLxsLTAH9lTvpFK:b/ToqfXm3d/WsJVKvi9lTvpF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2872	Unicorn-64131.exe
2760	Unicorn-50893.exe
2396	Unicorn-35111.exe
2644	Unicorn-50976.exe
1976	Unicorn-4468.exe
1580	Unicorn-55060.exe
948	Unicorn-20333.exe
2976	Unicorn-1858.exe
2804	Unicorn-44837.exe
2832	Unicorn-24971.exe
2496	Unicorn-33907.exe
1096	Unicorn-21449.exe
3036	Unicorn-5667.exe
1696	Unicorn-24163.exe
496	Unicorn-24163.exe
676	Unicorn-40499.exe
924	Unicorn-55444.exe
1112	Unicorn-48667.exe
2452	Unicorn-28801.exe
2500	Unicorn-22300.exe
1244	Unicorn-10602.exe
608	Unicorn-3825.exe
1576	Unicorn-61749.exe
1700	Unicorn-54972.exe
872	Unicorn-12548.exe
1596	Unicorn-52834.exe
2868	Unicorn-2242.exe
2696	Unicorn-61002.exe
2992	Unicorn-7717.exe
2740	Unicorn-104.exe
2640	Unicorn-50696.exe
2092	Unicorn-18299.exe
2536	Unicorn-57748.exe
2820	Unicorn-20245.exe
1216	Unicorn-30359.exe
1420	Unicorn-43165.exe
484	Unicorn-63031.exe
1176	Unicorn-18683.exe
2420	Unicorn-18683.exe
3048	Unicorn-57577.exe
1920	Unicorn-31489.exe
1164	Unicorn-51355.exe
1540	Unicorn-43741.exe
708	Unicorn-61469.exe
1896	Unicorn-26659.exe
1468	Unicorn-19045.exe
1988	Unicorn-4655.exe
560	Unicorn-36773.exe
1776	Unicorn-19067.exe
2984	Unicorn-38095.exe
2728	Unicorn-6321.exe
2376	Unicorn-51993.exe
2940	Unicorn-6321.exe
2852	Unicorn-6321.exe
2700	Unicorn-51993.exe
2788	Unicorn-51993.exe
1876	Unicorn-6321.exe
2888	Unicorn-6321.exe
2596	Unicorn-191.exe
1408	Unicorn-4183.exe
1144	Unicorn-4183.exe
2140	Unicorn-56653.exe
2192	Unicorn-64821.exe
2408	Unicorn-35486.exe

Loads dropped DLL 64 IoCs

pid	Process
2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
2872	Unicorn-64131.exe
2872	Unicorn-64131.exe
2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
2760	Unicorn-50893.exe
2760	Unicorn-50893.exe
2872	Unicorn-64131.exe
2872	Unicorn-64131.exe
2396	Unicorn-35111.exe
2396	Unicorn-35111.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
1976	Unicorn-4468.exe
1976	Unicorn-4468.exe
1580	Unicorn-55060.exe
1580	Unicorn-55060.exe
2396	Unicorn-35111.exe
2644	Unicorn-50976.exe
2644	Unicorn-50976.exe
2396	Unicorn-35111.exe
2760	Unicorn-50893.exe
2760	Unicorn-50893.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
332	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
948	Unicorn-20333.exe
948	Unicorn-20333.exe
1976	Unicorn-4468.exe
1976	Unicorn-4468.exe
2832	Unicorn-24971.exe
2976	Unicorn-1858.exe
2832	Unicorn-24971.exe
2804	Unicorn-44837.exe
1580	Unicorn-55060.exe
2804	Unicorn-44837.exe
1580	Unicorn-55060.exe
2496	Unicorn-33907.exe
2496	Unicorn-33907.exe
2644	Unicorn-50976.exe
2644	Unicorn-50976.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2572	2716	WerFault.exe	29
2368	2872	WerFault.exe	30
332	2760	WerFault.exe	31
2388	2396	WerFault.exe	32
1952	1976	WerFault.exe	35
1940	1580	WerFault.exe	36
2256	2644	WerFault.exe	34
1632	948	WerFault.exe	38
2712	2832	WerFault.exe	40
2912	2976	WerFault.exe	39
2824	2804	WerFault.exe	41
1100	2496	WerFault.exe	42
600	676	WerFault.exe	49
2948	1596	WerFault.exe	62
288	2696	WerFault.exe	64
880	1576	WerFault.exe	59
2476	1700	WerFault.exe	60
1704	3036	WerFault.exe	46
2836	608	WerFault.exe	58
2084	1112	WerFault.exe	51
3000	2500	WerFault.exe	56
1824	2092	WerFault.exe	69
1916	2452	WerFault.exe	52
2464	1696	WerFault.exe	47
3152	2740	WerFault.exe	66
3176	2992	WerFault.exe	65
3240	484	WerFault.exe	78
3296	924	WerFault.exe	50
3304	2820	WerFault.exe	73
3428	1896	WerFault.exe	86
3500	3048	WerFault.exe	81
3572	2640	WerFault.exe	67
3708	1244	WerFault.exe	57
3788	1164	WerFault.exe	83
3904	1096	WerFault.exe	45
3984	1420	WerFault.exe	77
4004	2868	WerFault.exe	63
3076	2536	WerFault.exe	72
3508	872	WerFault.exe	61
3864	2420	WerFault.exe	80
3876	1176	WerFault.exe	79
4040	2408	WerFault.exe	106
3612	1216	WerFault.exe	76
3636	1988	WerFault.exe	88
3912	2192	WerFault.exe	105
3728	1468	WerFault.exe	87
3940	1876	WerFault.exe	97
3476	2940	WerFault.exe	98
4120	988	WerFault.exe	108
4252	2888	WerFault.exe	99
4312	1540	WerFault.exe	84
4304	1776	WerFault.exe	90
4296	1900	WerFault.exe	107
4336	2984	WerFault.exe	91
4352	1920	WerFault.exe	82
4344	2700	WerFault.exe	93
4384	1408	WerFault.exe	103
4392	496	WerFault.exe	109
4488	560	WerFault.exe	89
4816	2728	WerFault.exe	95
4832	2788	WerFault.exe	92
4824	1144	WerFault.exe	102
4856	2852	WerFault.exe	94
4904	2140	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50976.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9398.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55287.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-587.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18349.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12837.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50893.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24971.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63465.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-504.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35398.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57577.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62149.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4655.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36773.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49361.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2967.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10507.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10507.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31489.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43741.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-587.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12834.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
2872	Unicorn-64131.exe
2760	Unicorn-50893.exe
2396	Unicorn-35111.exe
1976	Unicorn-4468.exe
2644	Unicorn-50976.exe
1580	Unicorn-55060.exe
948	Unicorn-20333.exe
2976	Unicorn-1858.exe
2832	Unicorn-24971.exe
2804	Unicorn-44837.exe
2496	Unicorn-33907.exe
1096	Unicorn-21449.exe
3036	Unicorn-5667.exe
1696	Unicorn-24163.exe
676	Unicorn-40499.exe
924	Unicorn-55444.exe
1112	Unicorn-48667.exe
2452	Unicorn-28801.exe
2500	Unicorn-22300.exe
608	Unicorn-3825.exe
1244	Unicorn-10602.exe
1576	Unicorn-61749.exe
1700	Unicorn-54972.exe
872	Unicorn-12548.exe
1596	Unicorn-52834.exe
2868	Unicorn-2242.exe
2696	Unicorn-61002.exe
2992	Unicorn-7717.exe
2640	Unicorn-50696.exe
2740	Unicorn-104.exe
2092	Unicorn-18299.exe
2820	Unicorn-20245.exe
2536	Unicorn-57748.exe
1216	Unicorn-30359.exe
1420	Unicorn-43165.exe
484	Unicorn-63031.exe
2420	Unicorn-18683.exe
1176	Unicorn-18683.exe
3048	Unicorn-57577.exe
1920	Unicorn-31489.exe
1164	Unicorn-51355.exe
1540	Unicorn-43741.exe
1896	Unicorn-26659.exe
708	Unicorn-61469.exe
1468	Unicorn-19045.exe
1988	Unicorn-4655.exe
560	Unicorn-36773.exe
1776	Unicorn-19067.exe
2984	Unicorn-38095.exe
2788	Unicorn-51993.exe
2376	Unicorn-51993.exe
2852	Unicorn-6321.exe
2596	Unicorn-191.exe
2700	Unicorn-51993.exe
2940	Unicorn-6321.exe
2888	Unicorn-6321.exe
2728	Unicorn-6321.exe
1876	Unicorn-6321.exe
1408	Unicorn-4183.exe
1144	Unicorn-4183.exe
2192	Unicorn-64821.exe
2408	Unicorn-35486.exe
2140	Unicorn-56653.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2872	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	30
PID 2716 wrote to memory of 2872	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	30
PID 2716 wrote to memory of 2872	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	30
PID 2716 wrote to memory of 2872	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	30
PID 2872 wrote to memory of 2760	2872	Unicorn-64131.exe	31
PID 2872 wrote to memory of 2760	2872	Unicorn-64131.exe	31
PID 2872 wrote to memory of 2760	2872	Unicorn-64131.exe	31
PID 2872 wrote to memory of 2760	2872	Unicorn-64131.exe	31
PID 2716 wrote to memory of 2396	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	32
PID 2716 wrote to memory of 2396	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	32
PID 2716 wrote to memory of 2396	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	32
PID 2716 wrote to memory of 2396	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	32
PID 2716 wrote to memory of 2572	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	33
PID 2716 wrote to memory of 2572	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	33
PID 2716 wrote to memory of 2572	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	33
PID 2716 wrote to memory of 2572	2716	5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe	33
PID 2760 wrote to memory of 2644	2760	Unicorn-50893.exe	34
PID 2760 wrote to memory of 2644	2760	Unicorn-50893.exe	34
PID 2760 wrote to memory of 2644	2760	Unicorn-50893.exe	34
PID 2760 wrote to memory of 2644	2760	Unicorn-50893.exe	34
PID 2872 wrote to memory of 1976	2872	Unicorn-64131.exe	35
PID 2872 wrote to memory of 1976	2872	Unicorn-64131.exe	35
PID 2872 wrote to memory of 1976	2872	Unicorn-64131.exe	35
PID 2872 wrote to memory of 1976	2872	Unicorn-64131.exe	35
PID 2396 wrote to memory of 1580	2396	Unicorn-35111.exe	36
PID 2396 wrote to memory of 1580	2396	Unicorn-35111.exe	36
PID 2396 wrote to memory of 1580	2396	Unicorn-35111.exe	36
PID 2396 wrote to memory of 1580	2396	Unicorn-35111.exe	36
PID 2872 wrote to memory of 2368	2872	Unicorn-64131.exe	37
PID 2872 wrote to memory of 2368	2872	Unicorn-64131.exe	37
PID 2872 wrote to memory of 2368	2872	Unicorn-64131.exe	37
PID 2872 wrote to memory of 2368	2872	Unicorn-64131.exe	37
PID 1976 wrote to memory of 948	1976	Unicorn-4468.exe	38
PID 1976 wrote to memory of 948	1976	Unicorn-4468.exe	38
PID 1976 wrote to memory of 948	1976	Unicorn-4468.exe	38
PID 1976 wrote to memory of 948	1976	Unicorn-4468.exe	38
PID 1580 wrote to memory of 2976	1580	Unicorn-55060.exe	39
PID 1580 wrote to memory of 2976	1580	Unicorn-55060.exe	39
PID 1580 wrote to memory of 2976	1580	Unicorn-55060.exe	39
PID 1580 wrote to memory of 2976	1580	Unicorn-55060.exe	39
PID 2644 wrote to memory of 2804	2644	Unicorn-50976.exe	41
PID 2644 wrote to memory of 2804	2644	Unicorn-50976.exe	41
PID 2644 wrote to memory of 2804	2644	Unicorn-50976.exe	41
PID 2644 wrote to memory of 2804	2644	Unicorn-50976.exe	41
PID 2396 wrote to memory of 2832	2396	Unicorn-35111.exe	40
PID 2396 wrote to memory of 2832	2396	Unicorn-35111.exe	40
PID 2396 wrote to memory of 2832	2396	Unicorn-35111.exe	40
PID 2396 wrote to memory of 2832	2396	Unicorn-35111.exe	40
PID 2760 wrote to memory of 2496	2760	Unicorn-50893.exe	42
PID 2760 wrote to memory of 2496	2760	Unicorn-50893.exe	42
PID 2760 wrote to memory of 2496	2760	Unicorn-50893.exe	42
PID 2760 wrote to memory of 2496	2760	Unicorn-50893.exe	42
PID 2760 wrote to memory of 332	2760	Unicorn-50893.exe	43
PID 2760 wrote to memory of 332	2760	Unicorn-50893.exe	43
PID 2760 wrote to memory of 332	2760	Unicorn-50893.exe	43
PID 2760 wrote to memory of 332	2760	Unicorn-50893.exe	43
PID 2396 wrote to memory of 2388	2396	Unicorn-35111.exe	44
PID 2396 wrote to memory of 2388	2396	Unicorn-35111.exe	44
PID 2396 wrote to memory of 2388	2396	Unicorn-35111.exe	44
PID 2396 wrote to memory of 2388	2396	Unicorn-35111.exe	44
PID 948 wrote to memory of 1096	948	Unicorn-20333.exe	45
PID 948 wrote to memory of 1096	948	Unicorn-20333.exe	45
PID 948 wrote to memory of 1096	948	Unicorn-20333.exe	45
PID 948 wrote to memory of 1096	948	Unicorn-20333.exe	45

C:\Users\Admin\AppData\Local\Temp\5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe
"C:\Users\Admin\AppData\Local\Temp\5ba95885b6d7b128865b0882ac157d8831189255b07e06e85d5bcd394b6f540b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\Unicorn-64131.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-64131.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-50893.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-50893.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50976.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50976.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44837.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44837.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40499.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52834.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52834.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30359.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30359.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35486.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35486.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33971.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33971.exe
        10⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55491.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55491.exe
        11⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27664.exe
        12⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 376
        12⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 376
        11⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 376
        10⤵
        Program crash
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48724.exe
        9⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-172.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-172.exe
        10⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19688.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 372
        11⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 376
        10⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 376
        9⤵
        Program crash
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9398.exe
        8⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14619.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14619.exe
        9⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13026.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13026.exe
        10⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6859.exe
        11⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 376
        11⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 376
        10⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 376
        9⤵
        Program crash
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 376
        8⤵
        Program crash
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43165.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43165.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35398.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18349.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13787.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 376
        11⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 376
        10⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 376
        9⤵
        Program crash
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 376
        8⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 376
        7⤵
        Program crash
        
        PID:600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2242.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63031.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63031.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48937.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48937.exe
        9⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39145.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39145.exe
        10⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 376
        11⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 376
        10⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 376
        9⤵
        Program crash
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 368
        8⤵
        Program crash
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40695.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40695.exe
        8⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2391.exe
        9⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 380
        9⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 376
        8⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 376
        7⤵
        Program crash
        
        PID:4004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 376
        6⤵
        Program crash
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28801.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28801.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50696.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50696.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36773.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10317.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10317.exe
        8⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34685.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34685.exe
        9⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        10⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 380
        10⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 380
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 376
        8⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 376
        7⤵
        Program crash
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38095.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38095.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65273.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65273.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58771.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58771.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 376
        9⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 380
        8⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 376
        7⤵
        Program crash
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 376
        6⤵
        Program crash
        
        PID:1916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 368
        5⤵
        Program crash
        
        PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33907.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33907.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48667.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48667.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7717.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61469.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61469.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9398.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41153.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29868.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29868.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12837.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12837.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 376
        10⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 372
        9⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 376
        8⤵
        Program crash
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 376
        7⤵
        Program crash
        
        PID:3176
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19045.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50499.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28263.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28263.exe
        8⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15603.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15603.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 380
        9⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 376
        8⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 376
        7⤵
        Program crash
        
        PID:3728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 376
        6⤵
        Program crash
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-104.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-104.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19067.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39207.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39207.exe
        7⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43888.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 376
        9⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 376
        8⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 376
        7⤵
        Program crash
        
        PID:4304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 376
        6⤵
        Program crash
        
        PID:3152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 376
        5⤵
        Program crash
        
        PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:332
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-4468.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-4468.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20333.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20333.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21449.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22300.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22300.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18299.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29887.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29887.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12834.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12834.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15603.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15603.exe
        11⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 376
        11⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 376
        10⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 376
        9⤵
        Program crash
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 380
        8⤵
        Program crash
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48937.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48937.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4910.exe
        9⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 368
        10⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 376
        9⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 376
        8⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 376
        7⤵
        Program crash
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57748.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57748.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 376
        8⤵
        Program crash
        
        PID:3476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 376
        7⤵
        Program crash
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-191.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-191.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49361.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49361.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2967.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2967.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 376
        8⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 380
        7⤵
        
        PID:5040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 380
        6⤵
        Program crash
        
        PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10602.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10602.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20245.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20245.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6321.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15532.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15532.exe
        8⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16403.exe
        9⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        10⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 380
        10⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 368
        9⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 380
        8⤵
        Program crash
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 376
        7⤵
        Program crash
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51993.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-587.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42526.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46180.exe
        9⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 376
        8⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 368
        7⤵
        Program crash
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 376
        6⤵
        Program crash
        
        PID:3708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 380
        5⤵
        Program crash
        
        PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5667.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5667.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3825.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3825.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:608
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26659.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26659.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4183.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-504.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-504.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49734.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49734.exe
        9⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53777.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53777.exe
        10⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 376
        10⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 380
        9⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 376
        8⤵
        Program crash
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 368
        7⤵
        Program crash
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64821.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64821.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15689.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15689.exe
        7⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63950.exe
        8⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        9⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 376
        9⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 376
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 376
        7⤵
        Program crash
        
        PID:3912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 376
        6⤵
        Program crash
        
        PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4655.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4655.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48169.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48169.exe
        6⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41205.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41205.exe
        7⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1405.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1405.exe
        8⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 376
        8⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 376
        7⤵
        
        PID:5292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 376
        6⤵
        Program crash
        
        PID:3636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 368
        5⤵
        Program crash
        
        PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 380
      4⤵
      Loads dropped DLL
      Program crash
      PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 380
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\Unicorn-35111.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-35111.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-55060.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-55060.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1858.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1858.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24163.exe
        5⤵
        Executes dropped EXE
        
        PID:496
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61749.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61749.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18683.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9995.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43094.exe
        8⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20866.exe
        9⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 380
        9⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 376
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 376
        7⤵
        Program crash
        
        PID:3864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 380
        6⤵
        Program crash
        
        PID:880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 372
        5⤵
        Program crash
        
        PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55444.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55444.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61002.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61002.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57577.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57577.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6705.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6705.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62149.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62149.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63465.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63465.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 220
        10⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 376
        9⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 380
        8⤵
        Program crash
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 376
        7⤵
        Program crash
        
        PID:3500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 376
        6⤵
        Program crash
        
        PID:288
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43741.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19171.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19171.exe
        6⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29868.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29868.exe
        7⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55287.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 380
        7⤵
        
        PID:6268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 376
        6⤵
        Program crash
        
        PID:4312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 380
        5⤵
        Program crash
        
        PID:3296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 376
      4⤵
      Program crash
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24971.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24971.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24163.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24163.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54972.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54972.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18683.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9995.exe
        7⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28896.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28896.exe
        8⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27472.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 376
        9⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 376
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 376
        7⤵
        Program crash
        
        PID:3876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 376
        6⤵
        Program crash
        
        PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31489.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31489.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59051.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47697.exe
        7⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64612.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 376
        8⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 376
        7⤵
        
        PID:5488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 368
        6⤵
        Program crash
        
        PID:4352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 376
        5⤵
        Program crash
        
        PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12548.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12548.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51355.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51355.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4183.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-587.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1301.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1301.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11976.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11976.exe
        9⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 376
        9⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 376
        8⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 376
        7⤵
        Program crash
        
        PID:4824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 376
        6⤵
        Program crash
        
        PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56653.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42196.exe
        6⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52640.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52640.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10507.exe
        8⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 376
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 376
        7⤵
        
        PID:5800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 376
        6⤵
        Program crash
        
        PID:4904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 380
        5⤵
        Program crash
        
        PID:3508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 368
      4⤵
      Program crash
      PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 376
  2⤵
  - Program crash
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-28263.exe

Filesize
192KB

MD5
91d5e2db48aeee7ecf8764521d91274f

SHA1
3afa233c99fc251583ce040225d753225b7c57f3

SHA256
cda8aab789a115fd2f8d0438353200ac5c18a0896e851eba2f4d5c315c746881

SHA512
f4b1fb1dac442a1233e973999e8375c50165fdd584ed9807e7d903004c9721b8dc41c47290a06b88d5bb8cfbd49aa5e0def2422d540f1793e73546e3869f869e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-41205.exe

Filesize
192KB

MD5
206f5625df61639c0825cc89f4001d59

SHA1
5431aa26062dcca7269e4e5a107f94cfbd4ed395

SHA256
20cdf8317190f25eaf52186defc2482d2b805c9a9a637e5832271c097627b997

SHA512
f8cc418176f9c6dd4c6229186a628fcc92c640a077c0083aefa55ea5bb7f57f8c635efe02b7a8e80eecaf4f93ac8f6dc8f880007a01aa0d9bdb16e1377107d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-4468.exe

Filesize
192KB

MD5
1935f58e16ed11b1dae073f4735f25a3

SHA1
944e9a5ae77985c40b8018dca981f1523bcfcd35

SHA256
f9314c0471562f1dfd37c915f0b13aad97d23ad4bcee42f1005cd3d3ce0a6e5e

SHA512
4eb12bda9dc77b397a52ddcaa34dba6e948389308ab9d6c1f53b93789f4d32773ee3ebfbbc24e270108f856c9e0cce1e83219c611a80c058a4a98fe4423a1f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6705.exe

Filesize
192KB

MD5
90ddf699a811ae8a572604f89667988d

SHA1
6008cb096a3f4f9bc67766871eda05d2aac747d4

SHA256
df4eb085d3af40452a365864b1cc2d4a6dabd58b8133ef8d9afac79261f8433b

SHA512
91404e9a0dfdb312f7b528cbfe78a777290e29d7246899df62cf1773bf9b440bd7767fac4a1584c87670cf07a1b89ab33d50303216ef8bfc4596493d678c14af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-1858.exe

Filesize
192KB

MD5
337a28004441cb2f8bb8f8b6707aac9b

SHA1
e064ec77428e7198c9711f4eb0b4d00db9e731ea

SHA256
5ecb80975559a86cb5cf1ef7c433a3480b597b4de48e4671a7646c696d426ca1

SHA512
19168489bce870aed936975a3173820269282384c0e1ec49505129f764fd8b66b74b1b3da48dd6cedd7d6e9122cc5bca32883652b6145c0e91a5b1d763419714

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-20333.exe

Filesize
192KB

MD5
46431b335d2433e26b867eb4b052f5a1

SHA1
acd021cfe2e5cbf30ec28344f2fa8160f07baf9c

SHA256
18257a372fa3671e10bfad6db25fbc987da9c7afcc31ae729495d509b5600f81

SHA512
935d9a82c75e1a50d62b16508a28b6f089b84d8b3dfb85db88cc35cd7be5249a5b76acd0f16b45d82f98d1b128089dd85ff09962cfb7b450b5c53d5047a5acdc

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21449.exe

Filesize
192KB

MD5
d6a07a01480a638cad305d9ef4a3bbf5

SHA1
36d52178071d3f0526b730cc4617856bb2d4a304

SHA256
aad1f4d3895f5adb969b6c5af8fc1d6da8e1bf497c34020f3ed4911ba88e6d40

SHA512
1948117b1d0e3700de09d4785a680c563b438e42c2a98f807ec14196850beab64fa42c48923aebf5069d4d76a58d11635419f078bcf72fef1423f66a1b01c8b8

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-24971.exe

Filesize
192KB

MD5
dbb6da00effc2255068b5f9c1bbb0ff1

SHA1
93c358c63f1029ba14ec1fb220c0ae7a0c3c2606

SHA256
91d673f4c58422fc4ce4e87122c6e9b393f05548708c52ff25a8f3c4d7bf1e77

SHA512
e5bd262ca16f6e3d1f4fed62c937d34c1c4cbab46e5b2d68e869ad51617a4764b30aadac26100db9f0c630264dbddeac5b3046177fee2b9142b0a9d9ca264bfd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-33907.exe

Filesize
192KB

MD5
fb09e1851385049587b2efa76b155e4f

SHA1
d487e23a59c8823c8490cbaf611244413047a6f7

SHA256
33f14a4e3935f2490ed70d1276f07189438fc0f5761a8e0ee5ce4e1d6547a8e6

SHA512
620c35a6f02d42f37467166d959444ba26cef800fe849dc693a49296addc2953cb9040af12f59c7e5d84e53dbc6ba07f99fe396eaeef3ab70d17a4e2f79d3c1d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-35111.exe

Filesize
192KB

MD5
351fd7fb01dddf6c8e8707241397194a

SHA1
2dcda0832758fbaacaf6d27f8712fe8835e71081

SHA256
5b156b5fe3ecec36a9be445892a90477de83da3e9edb32a998887b8a9cdcc054

SHA512
7f5f0295d880f8375fddc0ccbd9e8ba3540a786d7fd81e8bc3f75db8fb06d1ae61f2b40a74280f1fc15169505ddaee8ba41af37618747e95f15dc552b3faf20c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-44837.exe

Filesize
192KB

MD5
313ebbe77bde0349cc8a402f65c666ad

SHA1
358fdd3124c64f73e8ff6acaffa3e317e9b1ba6b

SHA256
70f9af3b2813caba08883e109c31b2bdc640716caad61dcbe1af33d5896c1719

SHA512
0fe5dad0495d913a001b203e8a4468fd8672f8fbfc9dd446f0afa8c2e4f28851656012ae6ba08def3237771f9385c19693ce40a7355412471b5a4bfda017ac34

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50893.exe

Filesize
192KB

MD5
2ce7177d91e59191e527548e6d3a30e9

SHA1
18b4beb65226ec24246b68488dfb627dad3808a5

SHA256
60ff0d181345a0093bf7a1d3dc8a9cab56b25e4c8a148c5203da60e97665fe21

SHA512
2eb94c100f09e3008edd5b87b65053cadbedaf281401bd7d993cb55145695ca5e5dc354846a9fcb60caaf0680f3eff16a5b79641dcfb2196cddd0e314fe7c381

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50976.exe

Filesize
192KB

MD5
1fd83c69baa0e0367e19b32aa452922c

SHA1
a8f86291370877a6d4c80d8235523e577c078b75

SHA256
81c82b32539b1e127fb6b4009dfde93ecefd9bd90590c38b569ce60377a2494d

SHA512
cd63f4710490156005936ce1dbb6a0b487ae9152cd773ae4b9fb3fa230009037759f3aaba09f712b23dbeea8cee6727ca4833e56dbf461ed8f06211b80432064

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-55060.exe

Filesize
192KB

MD5
4bc3d180ff46ef0f6e84aebac90bc6e1

SHA1
65c1a64675d6006280975906c8cc8754b6477003

SHA256
94f99ac0bc4a11a2390c407d4c2244e16e8dcc8d2e3bbcf046d30d446128299e

SHA512
ba749ae2fc65ecd9e14de55fb439826719e5cf84615144575034ee155252b3c154dafd64770b3e041c0eef9f480de6e53813e3cbf76a917317bdd82e8e1fc0ba

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-64131.exe

Filesize
192KB

MD5
faac49b599ade5d5721d567e95273f59

SHA1
108bf920d0463ebd7cec3dd748daa00d0e7899e5

SHA256
1a5d0f7e3522f6c6bb5bd84275ce8f1325a7f7fdcadf694f85e03a504e66ac27

SHA512
3d3cdd5d846b435437482ac85ca370bb1472b3da5600a8553b059c48722c8395a5b58fd6255ec78af6051a8b3ad4051e8182abd166951c839e9469955bae8cae

Download Submit