5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
Size

468KB
MD5

c8f16fe7f4aefe1ae7ac918e037733a0
SHA1

745bcc45ae18d52dfb8efbbe736ac247a13409ba
SHA256

5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969
SHA512

46c192dbddfff8ed68f3e6a3e3d2fb1fb2839e643e9f87dfd7cc3fbf7f474e6ab701294dc76962dbd735ef3258926a6e3c9a093c88d8739dbde03de6759487cc
SSDEEP

3072:MTANoSKVI95UtbY2PzPjcf8/PrMDRgpwVmHeefsampN8XrU8kHlf:MTqow7UtlP7jcfRcQwmpi7U8k

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 49 IoCs

pid	Process
2644	Unicorn-27401.exe
1072	Unicorn-21418.exe
2892	Unicorn-10125.exe
2516	Unicorn-12346.exe
2196	Unicorn-36057.exe
864	Unicorn-42170.exe
2124	Unicorn-28019.exe
2876	Unicorn-17495.exe
108	Unicorn-23800.exe
1344	Unicorn-64915.exe
1292	Unicorn-53623.exe
2036	Unicorn-16914.exe
2364	Unicorn-53945.exe
2380	Unicorn-42653.exe
2044	Unicorn-10063.exe
2180	Unicorn-64308.exe
984	Unicorn-29641.exe
1760	Unicorn-40030.exe
1608	Unicorn-63740.exe
2384	Unicorn-16761.exe
1396	Unicorn-58452.exe
2988	Unicorn-43232.exe
2444	Unicorn-22895.exe
2588	Unicorn-19963.exe
1680	Unicorn-3709.exe
1796	Unicorn-48909.exe
2812	Unicorn-6890.exe
2648	Unicorn-9075.exe
2096	Unicorn-54275.exe
2568	Unicorn-20617.exe
1052	Unicorn-61732.exe
1936	Unicorn-54716.exe
2192	Unicorn-21899.exe
864	Unicorn-32288.exe
1528	Unicorn-64166.exe
2820	Unicorn-43829.exe
544	Unicorn-19408.exe
2604	Unicorn-38998.exe
2832	Unicorn-45111.exe
2732	Unicorn-34011.exe
2952	Unicorn-44400.exe
2168	Unicorn-24063.exe
2148	Unicorn-44229.exe
656	Unicorn-19808.exe
1744	Unicorn-16876.exe
1588	Unicorn-31349.exe
1508	Unicorn-45822.exe
1876	Unicorn-3995.exe
888	Unicorn-36715.exe

Loads dropped DLL 64 IoCs

pid	Process
2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
2644	Unicorn-27401.exe
2644	Unicorn-27401.exe
1072	Unicorn-21418.exe
1072	Unicorn-21418.exe
2892	Unicorn-10125.exe
2892	Unicorn-10125.exe
2516	Unicorn-12346.exe
2516	Unicorn-12346.exe
2196	Unicorn-36057.exe
2196	Unicorn-36057.exe
864	Unicorn-42170.exe
864	Unicorn-42170.exe
2124	Unicorn-28019.exe
2124	Unicorn-28019.exe
2876	Unicorn-17495.exe
2876	Unicorn-17495.exe
108	Unicorn-23800.exe
108	Unicorn-23800.exe
1344	Unicorn-64915.exe
1344	Unicorn-64915.exe
1292	Unicorn-53623.exe
1292	Unicorn-53623.exe
2036	Unicorn-16914.exe
2036	Unicorn-16914.exe
2364	Unicorn-53945.exe
2364	Unicorn-53945.exe
2380	Unicorn-42653.exe
2380	Unicorn-42653.exe
2044	Unicorn-10063.exe
2044	Unicorn-10063.exe
2180	Unicorn-64308.exe
2180	Unicorn-64308.exe
984	Unicorn-29641.exe
984	Unicorn-29641.exe
1760	Unicorn-40030.exe
1760	Unicorn-40030.exe
1608	Unicorn-63740.exe
1608	Unicorn-63740.exe
2384	Unicorn-16761.exe
2384	Unicorn-16761.exe
1396	Unicorn-58452.exe
1396	Unicorn-58452.exe
2988	Unicorn-43232.exe
2988	Unicorn-43232.exe
2444	Unicorn-22895.exe
2444	Unicorn-22895.exe
2588	Unicorn-19963.exe
2588	Unicorn-19963.exe
1680	Unicorn-3709.exe
1680	Unicorn-3709.exe
1796	Unicorn-48909.exe
1796	Unicorn-48909.exe
2812	Unicorn-6890.exe
2812	Unicorn-6890.exe
2648	Unicorn-9075.exe
2648	Unicorn-9075.exe
2096	Unicorn-54275.exe
2096	Unicorn-54275.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2776	2428	WerFault.exe	29
3000	2096	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16876.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16914.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19963.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32288.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44229.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53945.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31349.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43829.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21899.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23800.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48909.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28019.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21418.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12346.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9075.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20617.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42170.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
2644	Unicorn-27401.exe
1072	Unicorn-21418.exe
2892	Unicorn-10125.exe
2516	Unicorn-12346.exe
2196	Unicorn-36057.exe
864	Unicorn-42170.exe
2124	Unicorn-28019.exe
2876	Unicorn-17495.exe
108	Unicorn-23800.exe
1344	Unicorn-64915.exe
1292	Unicorn-53623.exe
2036	Unicorn-16914.exe
2364	Unicorn-53945.exe
2380	Unicorn-42653.exe
2044	Unicorn-10063.exe
2180	Unicorn-64308.exe
984	Unicorn-29641.exe
1760	Unicorn-40030.exe
1608	Unicorn-63740.exe
2384	Unicorn-16761.exe
1396	Unicorn-58452.exe
2988	Unicorn-43232.exe
2444	Unicorn-22895.exe
2588	Unicorn-19963.exe
1680	Unicorn-3709.exe
1796	Unicorn-48909.exe
2812	Unicorn-6890.exe
2648	Unicorn-9075.exe
2096	Unicorn-54275.exe
2568	Unicorn-20617.exe
1052	Unicorn-61732.exe
1936	Unicorn-54716.exe
2192	Unicorn-21899.exe
864	Unicorn-32288.exe
1528	Unicorn-64166.exe
2820	Unicorn-43829.exe
544	Unicorn-19408.exe
2604	Unicorn-38998.exe
2832	Unicorn-45111.exe
2732	Unicorn-34011.exe
2952	Unicorn-44400.exe
2168	Unicorn-24063.exe
2148	Unicorn-44229.exe
656	Unicorn-19808.exe
1744	Unicorn-16876.exe
1588	Unicorn-31349.exe
1508	Unicorn-45822.exe
1876	Unicorn-3995.exe
888	Unicorn-36715.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2644	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	30
PID 2428 wrote to memory of 2644	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	30
PID 2428 wrote to memory of 2644	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	30
PID 2428 wrote to memory of 2644	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	30
PID 2428 wrote to memory of 2776	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	31
PID 2428 wrote to memory of 2776	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	31
PID 2428 wrote to memory of 2776	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	31
PID 2428 wrote to memory of 2776	2428	5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe	31
PID 2644 wrote to memory of 1072	2644	Unicorn-27401.exe	32
PID 2644 wrote to memory of 1072	2644	Unicorn-27401.exe	32
PID 2644 wrote to memory of 1072	2644	Unicorn-27401.exe	32
PID 2644 wrote to memory of 1072	2644	Unicorn-27401.exe	32
PID 1072 wrote to memory of 2892	1072	Unicorn-21418.exe	33
PID 1072 wrote to memory of 2892	1072	Unicorn-21418.exe	33
PID 1072 wrote to memory of 2892	1072	Unicorn-21418.exe	33
PID 1072 wrote to memory of 2892	1072	Unicorn-21418.exe	33
PID 2892 wrote to memory of 2516	2892	Unicorn-10125.exe	34
PID 2892 wrote to memory of 2516	2892	Unicorn-10125.exe	34
PID 2892 wrote to memory of 2516	2892	Unicorn-10125.exe	34
PID 2892 wrote to memory of 2516	2892	Unicorn-10125.exe	34
PID 2516 wrote to memory of 2196	2516	Unicorn-12346.exe	35
PID 2516 wrote to memory of 2196	2516	Unicorn-12346.exe	35
PID 2516 wrote to memory of 2196	2516	Unicorn-12346.exe	35
PID 2516 wrote to memory of 2196	2516	Unicorn-12346.exe	35
PID 2196 wrote to memory of 864	2196	Unicorn-36057.exe	36
PID 2196 wrote to memory of 864	2196	Unicorn-36057.exe	36
PID 2196 wrote to memory of 864	2196	Unicorn-36057.exe	36
PID 2196 wrote to memory of 864	2196	Unicorn-36057.exe	36
PID 864 wrote to memory of 2124	864	Unicorn-42170.exe	37
PID 864 wrote to memory of 2124	864	Unicorn-42170.exe	37
PID 864 wrote to memory of 2124	864	Unicorn-42170.exe	37
PID 864 wrote to memory of 2124	864	Unicorn-42170.exe	37
PID 2124 wrote to memory of 2876	2124	Unicorn-28019.exe	39
PID 2124 wrote to memory of 2876	2124	Unicorn-28019.exe	39
PID 2124 wrote to memory of 2876	2124	Unicorn-28019.exe	39
PID 2124 wrote to memory of 2876	2124	Unicorn-28019.exe	39
PID 2876 wrote to memory of 108	2876	Unicorn-17495.exe	40
PID 2876 wrote to memory of 108	2876	Unicorn-17495.exe	40
PID 2876 wrote to memory of 108	2876	Unicorn-17495.exe	40
PID 2876 wrote to memory of 108	2876	Unicorn-17495.exe	40
PID 108 wrote to memory of 1344	108	Unicorn-23800.exe	41
PID 108 wrote to memory of 1344	108	Unicorn-23800.exe	41
PID 108 wrote to memory of 1344	108	Unicorn-23800.exe	41
PID 108 wrote to memory of 1344	108	Unicorn-23800.exe	41
PID 1344 wrote to memory of 1292	1344	Unicorn-64915.exe	42
PID 1344 wrote to memory of 1292	1344	Unicorn-64915.exe	42
PID 1344 wrote to memory of 1292	1344	Unicorn-64915.exe	42
PID 1344 wrote to memory of 1292	1344	Unicorn-64915.exe	42
PID 1292 wrote to memory of 2036	1292	Unicorn-53623.exe	43
PID 1292 wrote to memory of 2036	1292	Unicorn-53623.exe	43
PID 1292 wrote to memory of 2036	1292	Unicorn-53623.exe	43
PID 1292 wrote to memory of 2036	1292	Unicorn-53623.exe	43
PID 2036 wrote to memory of 2364	2036	Unicorn-16914.exe	44
PID 2036 wrote to memory of 2364	2036	Unicorn-16914.exe	44
PID 2036 wrote to memory of 2364	2036	Unicorn-16914.exe	44
PID 2036 wrote to memory of 2364	2036	Unicorn-16914.exe	44
PID 2364 wrote to memory of 2380	2364	Unicorn-53945.exe	45
PID 2364 wrote to memory of 2380	2364	Unicorn-53945.exe	45
PID 2364 wrote to memory of 2380	2364	Unicorn-53945.exe	45
PID 2364 wrote to memory of 2380	2364	Unicorn-53945.exe	45
PID 2380 wrote to memory of 2044	2380	Unicorn-42653.exe	46
PID 2380 wrote to memory of 2044	2380	Unicorn-42653.exe	46
PID 2380 wrote to memory of 2044	2380	Unicorn-42653.exe	46
PID 2380 wrote to memory of 2044	2380	Unicorn-42653.exe	46

C:\Users\Admin\AppData\Local\Temp\5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe
"C:\Users\Admin\AppData\Local\Temp\5fbffc16e111acbf18613409bd4d51feaf7d08fe0b0a4730b9e3974df837e969.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\Unicorn-27401.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-27401.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-21418.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-21418.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10125.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10125.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12346.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36057.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36057.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42170.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42170.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28019.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17495.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17495.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64915.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53623.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53623.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16914.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53945.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42653.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10063.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29641.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40030.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40030.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63740.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16761.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58452.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43232.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43232.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22895.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22895.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19963.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19963.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3709.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48909.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48909.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6890.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6890.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9075.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9075.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54275.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20617.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20617.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61732.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61732.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54716.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54716.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21899.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21899.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32288.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32288.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64166.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64166.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43829.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43829.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19408.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19408.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38998.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45111.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34011.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44400.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44400.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24063.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44229.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44229.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19808.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19808.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16876.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31349.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45822.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45822.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3995.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36715.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36715.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 236
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:3000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 236
  2⤵
  - Program crash
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Unicorn-10063.exe

Filesize
468KB

MD5
891fd816263afddab29d35123d3c8077

SHA1
ff79846c7f2dfece6b6b0b4c6a580e0dbad03f26

SHA256
6f613095157dacf4dcfb5edb24aee8335c7f0373fbe7e7a20894d07e8d882001

SHA512
9d5aa4d4def26ac77d4c2d8c9a2b583b39a7abb69877381491ab8f9a57c8685438e830413d2e747f68ae5233d13a80443cf8ab620c0b61417cf5a71ed2cc8a04

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-10125.exe

Filesize
468KB

MD5
fbd01be80c14d65ee59238cf18b405b9

SHA1
2b33956a34370aff43b421a008d1243b2801aceb

SHA256
0ea0461f0fd232f8aa8c2f210cd44f791f13a4a4695da19fb8b981d33f71caf5

SHA512
c924b4c84726c6d2fbe1050a4d1ee74d0877a773339c3c1f0382364f12737d4c0c126340693112debd44b5908ef6ded41ccca40088ae08b9cbceaa060b86f9cc

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-12346.exe

Filesize
468KB

MD5
76eb763dd3169e95c2379c88a62fc7bc

SHA1
5a46d8a1835c8c9be25bad5a138d50da9ffb7d1b

SHA256
6d3d274cf5a0c3315b74d105b3d15ab7d26995ff32fb5370d26e4c9a5f1b1f55

SHA512
6f2445632978fca8a19d233364e252bcbd540fb85cd2e8f19ec1cae625691702f38f58ab07bfa2503fe6ed44cb2895730caeddcbe830729994e3b633aaeedd92

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-16914.exe

Filesize
468KB

MD5
e8116974a2c880feac1b941688004fa2

SHA1
fc2e43e557707bd233193e2ce116378fb0803089

SHA256
2ac243a39fbce8462e8646e59b7bf1554c1ce7262caa32ebe63086808cc25d79

SHA512
192285359810f0617d09e0db0090ff56b59be692aa81c14cd2ddd897fc6f09e2043034f541f4ce8f741627a52806c44d2baa307d156f5d1ec292bb707fa7eaf6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-17495.exe

Filesize
468KB

MD5
181e69991468de2a8f97852e94c08cae

SHA1
f668caf0da08f92d89a6e3c60ff3ebc31a2ffeb2

SHA256
ccb94a67d026d6c182b3f575d57be0e14b899bea2b569daa4070624d04e51be5

SHA512
7a18be7dfff7923ed8356f439aea6e15a38b6f2beab8e95228c85dae5a238912f53f488abcd9726c6d33febd83faf98331b68bc1a20bef9fc55561586ada8e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21418.exe

Filesize
468KB

MD5
d2c6780fcfe11867befa1121d8a3e07c

SHA1
2ea20761968ac8a814000f7154f22b9aa3fd5d04

SHA256
5b7882b7ab44111ec81e2a47535c32105beec85b721747aa70a2342841c3ced1

SHA512
4ccef898ef473766ce6bb7a8c2c37af3ad4f5e19a783cd6bc28f02da88fbd1a390c0acf700cafeef7dd02de634af84947de7c542a7c9146730655b5e69eca7d6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe

Filesize
468KB

MD5
ef8077bd3161990d9270bac3a039145c

SHA1
2b0c0327d0bcfcddf469891b300eef2e8354d517

SHA256
32c3df1840248a6c46ebfaf885dd7de848903cc9303d280fb43696dd3bc3bc66

SHA512
abbdf00e46bd85cd682da2289bfd53e932ad9a950232120fb5ed36fe3f2583065ca23cb507a4004a04bdb21c4f53bb982842e557288a94ca19e6130318744414

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-27401.exe

Filesize
468KB

MD5
ce6ca86c779fc8681eb8e5398282f2cf

SHA1
77631bf48e6cacd27a183fa15eddce0f70a9214b

SHA256
5edb3170556af0aa1771f0503a5a35cb5afef88d3f86f1fcbfcad94f3bb9ad57

SHA512
d8d0ecd72e7581d7d8831dd7a591b2a4f7172de15d021ca768eafbb625e194c3bf32ba2a38f8df0bfb740bb27ef7ab9b231866962cbd903b80ccfbf9b8ff1f4f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-28019.exe

Filesize
468KB

MD5
9df88008f9c329b3cb30af6bffccfed8

SHA1
244450aa22e77a8a0f41379ffd3b59f1ebeeda95

SHA256
fa9be56f7a634d3b34b553addbf2a1c69b34bd2f8234e6e55ea76718f8b83c39

SHA512
ac7b71e3a9b953c66331a4cd804d0c87f34f0b451989b295f9e929d06e9cb61e3291be22643c1726d613a28522dac8d15e4d98de011b74d6cdab9017239cc681

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-36057.exe

Filesize
468KB

MD5
5cbd5a51f12beabaf2451e4df5460863

SHA1
aa44a989f13a67507f536d137d5396258751cdfd

SHA256
6a1a5088a3b9536aa4c9be0c0a724ec9e1f906e89e6a1ff0ac07f0afcce99f70

SHA512
5b2021fa83f9338d219e2c373336e2eba74f8c7b1a346b6c1878b4dcf05200ef17eae7526c67599016eeefd481043eef6f5752481bb6fd73697cbdbeb24f870e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42170.exe

Filesize
468KB

MD5
b149e237932f604e612281cde9653267

SHA1
8e9d13a03e358e552b98f12f330d9060703b5edf

SHA256
e2adac3e11b23626ccfde2774bccbd289bb0b7fbe8be13c02867ef70cd5b581b

SHA512
cb1f0e34570b4f8e35728a9106f0e51a0ef27ff1d693a4875c7d121c93ea8ff018b0d6913d3ab8f20dfc678143de830401493789d8531021ce8e230e447bd19a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42653.exe

Filesize
468KB

MD5
a822a8d66c251a5ad64d1bfcd0b4fa20

SHA1
cec09953a401b864ae5c9c71863f9c84327d2b08

SHA256
222c1526ef15ff343196b5d87f70cae46037070a13801c2ec11bc513317f832c

SHA512
750466dcce06629e0dbce5c1950be58a7d4c92ad2e1507b4b030786e4913614486c9dba56a4f56cb200e71f719270843c6706a77a21087ebd5dfc817c98aaa47

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53623.exe

Filesize
468KB

MD5
51c0b896d77788e33bb28a72f19f1509

SHA1
17d822ac82d21100bfe6b3d478ae7aed154e30d7

SHA256
cc9e1499fe7e9d440ed1c1a2b6a49aded7f686fac1eaf012a5453ab239066c80

SHA512
6d7106bdaca2bd1e26a48f22b9999529bb094c4feb5d912beb56e67be47dc1544b2b82e5b0acd163c774d9998916c0e081f5ba2b72e2a66fa9349c4400e52193

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53945.exe

Filesize
468KB

MD5
4f317d10f5ed9d7dfecb02a3031f0c5e

SHA1
7219d2e84451f1f1fb3f70fe03d48e44bd0c9625

SHA256
cf83ba168629ea441074d52ec23d3d422a372a3260f4542734d83637c63e09c0

SHA512
bccd0ef726a3862f0d266e85ab5bab1862b1570163915f8b73f79bca7c84047d8bffd3c7fda741a7f54c78f838cf2cd84255ee19be91feacd845f184af209d31

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe

Filesize
468KB

MD5
5d26c164e774310a8a7e51878fcbb042

SHA1
dc4383a300ae3bb5c98ecd7f40f7bd2cca6981ca

SHA256
ffe52db312fbd38b11b81e02f56793910a541afbe4989654d3664f316bc0bf50

SHA512
22f48987983401a75dc7de9ebe81b07a91b18d37364578d7f867827b3929ca12323c29a14edd248c9ed9826a07b6f4a07ed83c0fd96ba8ba9489f7fe6368c39d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-64915.exe

Filesize
468KB

MD5
516907671d1bc295cd246110d06916f6

SHA1
60506c26c59580de9edf41b8436d52bc2001d067

SHA256
26f310c2548db49df3f2df0f8638ae3ab713ecfa7f16aa67a8a0609ba4381781

SHA512
98fef3bb97dd238bb89ddcbf122a56cc76476ae252a35fd7747f00f84029440b5422cfb0bdf7a356e5c1de684b1c97a97348ba3b1a938d40824b065ea6464415

Download Submit