3086f46b16b82fc9aaea1605aa5a0ac4ad74074e8aaaeb928cc6cab2ca24926f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 11:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
Size

188KB
MD5

cff870e3aad408d686b4de88a11367e9
SHA1

b106ed7f74f94434e7338adef651c9656c9b742c
SHA256

f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca
SHA512

ba84c708b3437dffddbdc4978349ba8a5e6edbe9b22c871cd7c9168aee0d80835659016eb7bc8bdc7566312b7855f647264d53c7c81a29bcb48c5d7c1fb2b38a
SSDEEP

3072:FSJ0odemfJdacyaAdHiQ188l5DurBhkAIKtxuUzKTNlxvwFB:FSeopx0cCdCQ18phwJNlxvwF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2788	Unicorn-58667.exe
2576	Unicorn-53872.exe
2808	Unicorn-21562.exe
2620	Unicorn-62206.exe
2188	Unicorn-34172.exe
444	Unicorn-45678.exe
2388	Unicorn-61459.exe
1052	Unicorn-44931.exe
1744	Unicorn-25065.exe
1972	Unicorn-28595.exe
1304	Unicorn-369.exe
2296	Unicorn-56472.exe
376	Unicorn-7826.exe
476	Unicorn-15439.exe
2460	Unicorn-40498.exe
944	Unicorn-52196.exe
892	Unicorn-21422.exe
1556	Unicorn-41288.exe
1788	Unicorn-33120.exe
1548	Unicorn-59653.exe
1496	Unicorn-31619.exe
1920	Unicorn-18621.exe
900	Unicorn-48709.exe
3048	Unicorn-29912.exe
1608	Unicorn-20998.exe
2952	Unicorn-44433.exe
2360	Unicorn-24567.exe
2116	Unicorn-53670.exe
2592	Unicorn-49586.exe
3016	Unicorn-5024.exe
2032	Unicorn-16722.exe
2016	Unicorn-62393.exe
2012	Unicorn-51807.exe
1704	Unicorn-19497.exe
2332	Unicorn-27111.exe
1752	Unicorn-8034.exe
2112	Unicorn-29009.exe
2352	Unicorn-48875.exe
1520	Unicorn-57598.exe
1908	Unicorn-52959.exe
1236	Unicorn-56851.exe
1564	Unicorn-37.exe
856	Unicorn-32155.exe
2300	Unicorn-23987.exe
1940	Unicorn-44215.exe
3000	Unicorn-24349.exe
2932	Unicorn-50390.exe
1612	Unicorn-53919.exe
1720	Unicorn-53919.exe
2720	Unicorn-62450.exe
2804	Unicorn-4526.exe
2824	Unicorn-29031.exe
2616	Unicorn-62258.exe
2664	Unicorn-3047.exe
1320	Unicorn-44443.exe
1812	Unicorn-2663.exe
1888	Unicorn-52419.exe
2272	Unicorn-59840.exe
2976	Unicorn-45403.exe
2792	Unicorn-3815.exe
2604	Unicorn-48932.exe
2768	Unicorn-8776.exe
328	Unicorn-9331.exe
1880	Unicorn-8584.exe

Loads dropped DLL 64 IoCs

pid	Process
2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
2788	Unicorn-58667.exe
2788	Unicorn-58667.exe
2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
2576	Unicorn-53872.exe
2576	Unicorn-53872.exe
2788	Unicorn-58667.exe
2788	Unicorn-58667.exe
2808	Unicorn-21562.exe
2808	Unicorn-21562.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2228	WerFault.exe
2620	Unicorn-62206.exe
2620	Unicorn-62206.exe
2188	Unicorn-34172.exe
2576	Unicorn-53872.exe
2188	Unicorn-34172.exe
2576	Unicorn-53872.exe
444	Unicorn-45678.exe
444	Unicorn-45678.exe
2808	Unicorn-21562.exe
2808	Unicorn-21562.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
1036	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2388	Unicorn-61459.exe
2388	Unicorn-61459.exe
2620	Unicorn-62206.exe
2620	Unicorn-62206.exe
1052	Unicorn-44931.exe
1052	Unicorn-44931.exe
2188	Unicorn-34172.exe
2188	Unicorn-34172.exe
1972	Unicorn-28595.exe
1972	Unicorn-28595.exe
444	Unicorn-45678.exe
444	Unicorn-45678.exe
1304	Unicorn-369.exe
1304	Unicorn-369.exe
1744	Unicorn-25065.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2624	2076	WerFault.exe	29
2228	2788	WerFault.exe	30
1036	2576	WerFault.exe	31
2312	2808	WerFault.exe	32
1660	2620	WerFault.exe	34
2328	2188	WerFault.exe	35
2120	444	WerFault.exe	36
3060	2388	WerFault.exe	38
1584	1052	WerFault.exe	39
1884	1972	WerFault.exe	41
2280	1304	WerFault.exe	42
2276	1744	WerFault.exe	40
3052	2296	WerFault.exe	45
3024	376	WerFault.exe	46
1732	476	WerFault.exe	47
2520	1556	WerFault.exe	51
2396	944	WerFault.exe	49
1484	892	WerFault.exe	50
1176	1788	WerFault.exe	52
2712	2460	WerFault.exe	48
1060	2032	WerFault.exe	67
320	2592	WerFault.exe	65
2936	3016	WerFault.exe	66
2356	2360	WerFault.exe	63
3076	2952	WerFault.exe	62
3188	1548	WerFault.exe	56
3504	2332	WerFault.exe	74
3556	2012	WerFault.exe	70
3608	1940	WerFault.exe	87
3804	1908	WerFault.exe	81
3908	2720	WerFault.exe	91
3924	3048	WerFault.exe	60
3964	1496	WerFault.exe	57
4020	1704	WerFault.exe	73
4080	1752	WerFault.exe	77
3160	1608	WerFault.exe	61
3212	1920	WerFault.exe	58
3228	1520	WerFault.exe	80
3300	1564	WerFault.exe	83
3588	1720	WerFault.exe	90
3656	2116	WerFault.exe	64
3856	2352	WerFault.exe	79
3752	1236	WerFault.exe	82
4088	2112	WerFault.exe	78
3744	900	WerFault.exe	59
3824	2016	WerFault.exe	68
4092	2300	WerFault.exe	85
4200	2616	WerFault.exe	94
4208	1612	WerFault.exe	89
4216	2804	WerFault.exe	92
4292	2824	WerFault.exe	93
4336	856	WerFault.exe	84
4548	1580	WerFault.exe	125
4556	2664	WerFault.exe	98
4564	2932	WerFault.exe	88
4572	1320	WerFault.exe	101
4804	2272	WerFault.exe	106
4812	3000	WerFault.exe	86
4820	1872	WerFault.exe	124
4828	2604	WerFault.exe	109
4852	1812	WerFault.exe	103
5116	2876	WerFault.exe	126
4900	1888	WerFault.exe	104
4896	2976	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16476.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57598.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51807.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44931.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8384.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22143.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53855.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9033.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15439.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31619.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62450.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13398.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64815.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33398.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28006.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17389.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-673.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8776.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16331.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-762.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7643.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42266.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
2788	Unicorn-58667.exe
2576	Unicorn-53872.exe
2808	Unicorn-21562.exe
2620	Unicorn-62206.exe
2188	Unicorn-34172.exe
444	Unicorn-45678.exe
2388	Unicorn-61459.exe
1052	Unicorn-44931.exe
1744	Unicorn-25065.exe
1304	Unicorn-369.exe
1972	Unicorn-28595.exe
2296	Unicorn-56472.exe
376	Unicorn-7826.exe
476	Unicorn-15439.exe
2460	Unicorn-40498.exe
944	Unicorn-52196.exe
1556	Unicorn-41288.exe
1788	Unicorn-33120.exe
892	Unicorn-21422.exe
1548	Unicorn-59653.exe
1496	Unicorn-31619.exe
1920	Unicorn-18621.exe
900	Unicorn-48709.exe
3048	Unicorn-29912.exe
1608	Unicorn-20998.exe
2360	Unicorn-24567.exe
2952	Unicorn-44433.exe
2116	Unicorn-53670.exe
2592	Unicorn-49586.exe
2032	Unicorn-16722.exe
3016	Unicorn-5024.exe
2016	Unicorn-62393.exe
2012	Unicorn-51807.exe
1704	Unicorn-19497.exe
2332	Unicorn-27111.exe
1752	Unicorn-8034.exe
2112	Unicorn-29009.exe
2352	Unicorn-48875.exe
1520	Unicorn-57598.exe
1908	Unicorn-52959.exe
1236	Unicorn-56851.exe
1564	Unicorn-37.exe
856	Unicorn-32155.exe
2300	Unicorn-23987.exe
1940	Unicorn-44215.exe
3000	Unicorn-24349.exe
1612	Unicorn-53919.exe
2932	Unicorn-50390.exe
1720	Unicorn-53919.exe
2720	Unicorn-62450.exe
2804	Unicorn-4526.exe
2824	Unicorn-29031.exe
2616	Unicorn-62258.exe
2664	Unicorn-3047.exe
1320	Unicorn-44443.exe
1812	Unicorn-2663.exe
1888	Unicorn-52419.exe
2272	Unicorn-59840.exe
2976	Unicorn-45403.exe
2792	Unicorn-3815.exe
2604	Unicorn-48932.exe
2768	Unicorn-8776.exe
328	Unicorn-9331.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2788	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	30
PID 2076 wrote to memory of 2788	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	30
PID 2076 wrote to memory of 2788	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	30
PID 2076 wrote to memory of 2788	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	30
PID 2788 wrote to memory of 2576	2788	Unicorn-58667.exe	31
PID 2788 wrote to memory of 2576	2788	Unicorn-58667.exe	31
PID 2788 wrote to memory of 2576	2788	Unicorn-58667.exe	31
PID 2788 wrote to memory of 2576	2788	Unicorn-58667.exe	31
PID 2076 wrote to memory of 2808	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	32
PID 2076 wrote to memory of 2808	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	32
PID 2076 wrote to memory of 2808	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	32
PID 2076 wrote to memory of 2808	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	32
PID 2076 wrote to memory of 2624	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	33
PID 2076 wrote to memory of 2624	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	33
PID 2076 wrote to memory of 2624	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	33
PID 2076 wrote to memory of 2624	2076	f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe	33
PID 2576 wrote to memory of 2620	2576	Unicorn-53872.exe	34
PID 2576 wrote to memory of 2620	2576	Unicorn-53872.exe	34
PID 2576 wrote to memory of 2620	2576	Unicorn-53872.exe	34
PID 2576 wrote to memory of 2620	2576	Unicorn-53872.exe	34
PID 2788 wrote to memory of 2188	2788	Unicorn-58667.exe	35
PID 2788 wrote to memory of 2188	2788	Unicorn-58667.exe	35
PID 2788 wrote to memory of 2188	2788	Unicorn-58667.exe	35
PID 2788 wrote to memory of 2188	2788	Unicorn-58667.exe	35
PID 2808 wrote to memory of 444	2808	Unicorn-21562.exe	36
PID 2808 wrote to memory of 444	2808	Unicorn-21562.exe	36
PID 2808 wrote to memory of 444	2808	Unicorn-21562.exe	36
PID 2808 wrote to memory of 444	2808	Unicorn-21562.exe	36
PID 2788 wrote to memory of 2228	2788	Unicorn-58667.exe	37
PID 2788 wrote to memory of 2228	2788	Unicorn-58667.exe	37
PID 2788 wrote to memory of 2228	2788	Unicorn-58667.exe	37
PID 2788 wrote to memory of 2228	2788	Unicorn-58667.exe	37
PID 2620 wrote to memory of 2388	2620	Unicorn-62206.exe	38
PID 2620 wrote to memory of 2388	2620	Unicorn-62206.exe	38
PID 2620 wrote to memory of 2388	2620	Unicorn-62206.exe	38
PID 2620 wrote to memory of 2388	2620	Unicorn-62206.exe	38
PID 2188 wrote to memory of 1052	2188	Unicorn-34172.exe	39
PID 2188 wrote to memory of 1052	2188	Unicorn-34172.exe	39
PID 2188 wrote to memory of 1052	2188	Unicorn-34172.exe	39
PID 2188 wrote to memory of 1052	2188	Unicorn-34172.exe	39
PID 2576 wrote to memory of 1744	2576	Unicorn-53872.exe	40
PID 2576 wrote to memory of 1744	2576	Unicorn-53872.exe	40
PID 2576 wrote to memory of 1744	2576	Unicorn-53872.exe	40
PID 2576 wrote to memory of 1744	2576	Unicorn-53872.exe	40
PID 444 wrote to memory of 1972	444	Unicorn-45678.exe	41
PID 444 wrote to memory of 1972	444	Unicorn-45678.exe	41
PID 444 wrote to memory of 1972	444	Unicorn-45678.exe	41
PID 444 wrote to memory of 1972	444	Unicorn-45678.exe	41
PID 2808 wrote to memory of 1304	2808	Unicorn-21562.exe	42
PID 2808 wrote to memory of 1304	2808	Unicorn-21562.exe	42
PID 2808 wrote to memory of 1304	2808	Unicorn-21562.exe	42
PID 2808 wrote to memory of 1304	2808	Unicorn-21562.exe	42
PID 2576 wrote to memory of 1036	2576	Unicorn-53872.exe	43
PID 2576 wrote to memory of 1036	2576	Unicorn-53872.exe	43
PID 2576 wrote to memory of 1036	2576	Unicorn-53872.exe	43
PID 2576 wrote to memory of 1036	2576	Unicorn-53872.exe	43
PID 2808 wrote to memory of 2312	2808	Unicorn-21562.exe	44
PID 2808 wrote to memory of 2312	2808	Unicorn-21562.exe	44
PID 2808 wrote to memory of 2312	2808	Unicorn-21562.exe	44
PID 2808 wrote to memory of 2312	2808	Unicorn-21562.exe	44
PID 2388 wrote to memory of 2296	2388	Unicorn-61459.exe	45
PID 2388 wrote to memory of 2296	2388	Unicorn-61459.exe	45
PID 2388 wrote to memory of 2296	2388	Unicorn-61459.exe	45
PID 2388 wrote to memory of 2296	2388	Unicorn-61459.exe	45

C:\Users\Admin\AppData\Local\Temp\f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe
"C:\Users\Admin\AppData\Local\Temp\f28bf7bf1dba6f9bb6250aad5aedb215e85310c85f20295be617b66d27dfddca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\Unicorn-58667.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-58667.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-53872.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-53872.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62206.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62206.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61459.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56472.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59653.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51807.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51807.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3047.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27835.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27835.exe
        10⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54047.exe
        11⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-673.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 380
        11⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 376
        10⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 376
        9⤵
        Program crash
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44443.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44443.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15582.exe
        9⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58323.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58323.exe
        10⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27238.exe
        11⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 380
        10⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 376
        9⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 376
        8⤵
        Program crash
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19497.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19497.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3815.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3815.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        9⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13590.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 376
        10⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 376
        9⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 376
        8⤵
        Program crash
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 368
        7⤵
        Program crash
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31619.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31619.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27111.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59840.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59840.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34524.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34524.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62023.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 376
        10⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 376
        9⤵
        Program crash
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 376
        8⤵
        Program crash
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45403.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16538.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16538.exe
        8⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42179.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42179.exe
        9⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49033.exe
        10⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 380
        9⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 380
        8⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 376
        7⤵
        Program crash
        
        PID:3964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 380
        6⤵
        Program crash
        
        PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7826.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7826.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18621.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18621.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8034.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8034.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8776.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8776.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        9⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 376
        10⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 376
        9⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 380
        8⤵
        Program crash
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29559.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29559.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53294.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53294.exe
        8⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22143.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 376
        9⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 376
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 368
        7⤵
        Program crash
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29009.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29009.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30025.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30025.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22262.exe
        8⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15812.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15812.exe
        9⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 376
        9⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 376
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 376
        7⤵
        Program crash
        
        PID:4088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 376
        6⤵
        Program crash
        
        PID:3024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 376
        5⤵
        Program crash
        
        PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25065.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25065.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33120.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53670.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53670.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53919.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38385.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16476.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16476.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7643.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60247.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60247.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 376
        10⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 376
        9⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 380
        8⤵
        Program crash
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59552.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4280.exe
        8⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        9⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 240
        10⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 376
        9⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 376
        8⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 376
        7⤵
        Program crash
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62450.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62450.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38769.exe
        7⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-528.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-528.exe
        8⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22828.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22828.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 376
        9⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 376
        8⤵
        Program crash
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 376
        7⤵
        Program crash
        
        PID:3908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 376
        6⤵
        Program crash
        
        PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5024.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5024.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53919.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28354.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28354.exe
        7⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39958.exe
        8⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19770.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19770.exe
        9⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 376
        9⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 376
        8⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 376
        7⤵
        Program crash
        
        PID:4208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 376
        6⤵
        Program crash
        
        PID:2936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 376
        5⤵
        Program crash
        
        PID:2276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-34172.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-34172.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44931.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44931.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15439.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15439.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:476
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48709.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48875.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9604.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9604.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58463.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58463.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 380
        10⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 376
        9⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 376
        8⤵
        Program crash
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22219.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22219.exe
        7⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28780.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28780.exe
        8⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30877.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 376
        9⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 376
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 376
        7⤵
        Program crash
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57598.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8584.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8584.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38624.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38624.exe
        8⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        9⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 220
        10⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 368
        9⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 376
        8⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 368
        7⤵
        Program crash
        
        PID:3228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 380
        6⤵
        Program crash
        
        PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29912.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29912.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52959.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2663.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62920.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62920.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21183.exe
        9⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 376
        9⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 376
        8⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 376
        7⤵
        Program crash
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52419.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52419.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        8⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 376
        8⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 376
        7⤵
        Program crash
        
        PID:4900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 368
        6⤵
        Program crash
        
        PID:3924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 368
        5⤵
        Program crash
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40498.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40498.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44433.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44433.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29031.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29031.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61986.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61986.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17291.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17291.exe
        8⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32697.exe
        9⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 376
        8⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 376
        7⤵
        Program crash
        
        PID:4292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 376
        6⤵
        Program crash
        
        PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62258.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62258.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15910.exe
        6⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44919.exe
        7⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25271.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25271.exe
        8⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 380
        7⤵
        
        PID:6180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 376
        6⤵
        Program crash
        
        PID:4200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 368
        5⤵
        Program crash
        
        PID:2712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 376
      4⤵
      Program crash
      PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\Unicorn-21562.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-21562.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-45678.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-45678.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28595.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28595.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52196.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20998.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44215.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44215.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48932.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48932.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22080.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22080.exe
        9⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53855.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42266.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 372
        10⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 376
        9⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 376
        8⤵
        Program crash
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9331.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9331.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13159.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 376
        9⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 376
        8⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 376
        7⤵
        Program crash
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50390.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50390.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17389.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17389.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27835.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27835.exe
        8⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24369.exe
        9⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30119.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8384.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 376
        10⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 376
        9⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 376
        8⤵
        Program crash
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7969.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7969.exe
        7⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13398.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 188
        9⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18608.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18608.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 376
        8⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 380
        7⤵
        Program crash
        
        PID:4564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 376
        6⤵
        Program crash
        
        PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24567.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4526.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48774.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48774.exe
        7⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16331.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16331.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39059.exe
        9⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 376
        8⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 368
        7⤵
        Program crash
        
        PID:4216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 376
        6⤵
        Program crash
        
        PID:2356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 376
        5⤵
        Program crash
        
        PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21422.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21422.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16722.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56851.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56851.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9604.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9604.exe
        7⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11872.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11872.exe
        8⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 376
        9⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 376
        8⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 376
        7⤵
        Program crash
        
        PID:3752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 368
        6⤵
        Program crash
        
        PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20645.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20645.exe
        6⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34343.exe
        7⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64815.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64815.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 376
        8⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 376
        7⤵
        
        PID:6096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 376
        6⤵
        Program crash
        
        PID:3300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 376
        5⤵
        Program crash
        
        PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 368
      4⤵
      Program crash
      PID:2120
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-369.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-369.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41288.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41288.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49586.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49586.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32155.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32155.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33398.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-954.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-954.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28006.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28006.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 376
        8⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 380
        7⤵
        Program crash
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 368
        6⤵
        Program crash
        
        PID:320
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24349.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33725.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33725.exe
        6⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34524.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34524.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58131.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58131.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9033.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 376
        8⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 376
        7⤵
        Program crash
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14658.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-762.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-762.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 376
        7⤵
        
        PID:6396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 380
        6⤵
        Program crash
        
        PID:4812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 376
        5⤵
        Program crash
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62393.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62393.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23987.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23987.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54721.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54721.exe
        6⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50850.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50850.exe
        7⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 368
        8⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 376
        7⤵
        
        PID:5448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 376
        6⤵
        Program crash
        
        PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63252.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63252.exe
        5⤵
        
        PID:548
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61623.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61623.exe
        6⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38474.exe
        7⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 372
        7⤵
        
        PID:6212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 376
        6⤵
        
        PID:5944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 372
        5⤵
        Program crash
        
        PID:3824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 380
      4⤵
      Program crash
      PID:2280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 380
  2⤵
  - Program crash
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-17389.exe

Filesize
188KB

MD5
7914d44701a4278b3128cad9857758cb

SHA1
ee9ea852b99e23a5c1a1ef610aa60e3e144b4998

SHA256
01caec011157b28da5bb672047b21619aaf008c4cb637ed896ffa229845c802f

SHA512
4de48f6a2a4369b1432f5a1d1c49a6ba48567324e679107500cffe43ad5ca6823b41e26ded3e78c2585a931662948bd978073ea9a8ded620377e6fb1c110ccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-25065.exe

Filesize
188KB

MD5
5baee9a664dfe64c76e858d04d530680

SHA1
68438c5ca9e30f748b5cc7b24ebbdbeb0b76f6fb

SHA256
f508946a21af8771f769502bd83466cb812ae0f387296109082de4104d5502e4

SHA512
38e462efea0343feda912a5d784419a4054fd95ca3951c60665a7ac9e14cab1eb5491619e4e01eea632d04ccfc6584c1b6f1bd683a8c882a4a94e407cf7b6a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-28595.exe

Filesize
188KB

MD5
5a2c656692a4f9d8ba57f8d9f92cd474

SHA1
75e2a761185f57e7a7f7b4128001546ab88e22e9

SHA256
5eca40b59f964cce73f25a6c342a9d5744d07faaa6a66276f43c17868de7797d

SHA512
df90f63c4aaed4f7a0abee166471ac88331cd25101944097dab4a401bac04ff0907138e437f7a357b030de992405eeaac222b87e657766698679d3a9f4547339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-34172.exe

Filesize
188KB

MD5
35f57e7ede2dacc0aa4b66e1e3617d6f

SHA1
7c713887f0d6d6c04afa05eb72a85117ba7dca46

SHA256
e0de5e97dd0c264030014f6e84d3335c948a09459d071fedea73cadd054ec59c

SHA512
ce218812b7211e26c05ef3e2dd155d2615eca8b6ef340b556d6153673345786cb38e1f17a00f2a6762c8c31fc1c2d54dd35a62810e019190f776443f3be38e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-369.exe

Filesize
188KB

MD5
92310047f394ffdfae9b4b97d70b4785

SHA1
5b57c2e89fd029fdfaf3e20dbaf8f70f423f58f1

SHA256
c0f1c00ea836a2af3d06f254520ee6e8a0bb68674d2a125322fcebfd341d4cbb

SHA512
585eab191e69b352a6f29e5dd724664590b29270aa59d378db05fe54f2f3ee46b8854ad33db12e0100fa86fbcd315e017043300d84ee4faee645f5c215069e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-40498.exe

Filesize
188KB

MD5
9b2a933d5e41c559e782b704ce720f14

SHA1
9367a959ea8a9d5972a4a4d3265e96916b1e7087

SHA256
d74d42e9b7b4afc3a898d369222ea1a94edb04dda7d01e9dbfe9e0b92df4556d

SHA512
0de5bab65cd39c2735fb912589dda481ee9fbcb10511ef88d6fad56810190fb7078c4db62e8aace658544cd2244cb5ab53b6cbfa22c4c2a0f0e9f3118d8af2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-62206.exe

Filesize
188KB

MD5
d8cba819664253be47c7a6b0a6e2da4b

SHA1
804ed36567b32becbf19cda0f2bf79152deb4a16

SHA256
d231cdaae2efa3e2c45714f1e4f0a58de847b42b4487c15ff09e68473620289d

SHA512
edcb97d79c36f45d99c499db748c5c63aeb0b17d9573d6ef0ebbbbeeeaab0b0af6a74d7862cc726153f57f3f62499db405d1f81a350421050288fbde9f201a6c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21562.exe

Filesize
188KB

MD5
56a557b6480410e169c6220317ff4fe2

SHA1
1d3d3fdf9752f78f5fb8fb5cb9e51256379505bc

SHA256
f9ff5959f533e31fa590c76d4cc75e94bb9069aa6b67dee6953110386c945098

SHA512
409e0bc53c64a00240be23f3cd3add36b2e08f5a56b491e4e78105acfa6706131ecd4b21fda7596ddf79482bba90a631f750d93482e2e1cbecc9b0cd24f2ae02

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-44931.exe

Filesize
188KB

MD5
b5ca872907701142c8528eb2cb2226dc

SHA1
0b33b8f1c547ef342b348ff309da5d000447e326

SHA256
235de3d96ee51afec396fbc4be83019b59bf9bf60090939911c9eafd3a395b2f

SHA512
992410f928eba1be6db4a2ada6abfb1ef3f6f2623cb574f13f2775eebea1789b9b83029881daea826bf8e5e066f26653aa19cb2ba27f26fc708f6769b5289241

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-45678.exe

Filesize
188KB

MD5
01f6928b21fcfdbcd12053bffce93cc8

SHA1
10208f216542c982810ce19cb6f19fe97a00a200

SHA256
ad7e977aec6476a177766fe69afad4a0e7b39e8a47d7908c98e8d442f93da306

SHA512
9394510d28521cb11b2e1f7451802088e581a6b623e8bf2a4ad4cf000140e12243e6432c1996a466da556651402d8966899ec8600be40f6dda1467c752ff22d6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53872.exe

Filesize
188KB

MD5
648ed03c83290e0bfcf0cd5b2ce2f112

SHA1
2285fbbd5aadb17565e3a3b5dc9f3fa73a7a83f1

SHA256
00091a31740a0dd81c1b7b8d252b52f258747307bfd3c9f506006f98896417a0

SHA512
640563d0d122964913b42b5efd7e8e8df070495e915ece22b22ea4921a8819ae8705da8cdd7d3c72a0778d438b7e79d86f99d1d25b13dbfe283f646c7405795f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-58667.exe

Filesize
188KB

MD5
830b8fa0c019e096fa16de7643845cf8

SHA1
c70a8d76e081daa7bc49db9f75bc93e12d581ada

SHA256
58e4ba4082f0d55e5ed4db201b319efd4516f144b9846527452f5470f4860edd

SHA512
1e2ebb02615edf4ed3f3fbbfb2223c7ab3e08d37a27089a894a60f8b24a5612adb9b53578ea13de38e248c75aa85e01acc63227b3ec514d4617e69e6d42ea84f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-61459.exe

Filesize
188KB

MD5
d9c7e2b6fb75b97d7adfc2e5f6de4f9e

SHA1
c3212a6f4a6737d8d87debbbaadb95a3d6cae554

SHA256
cf034049201c14a05bfdb24a688567daeebe9f711349b69fa55f276e6f86977d

SHA512
9300641dfa15682b3a50aa365e284c65e7f8dfcc7055d326b5df90c9905ac2299f22ba90478ed83fa7514d7aede6a9d09ac8f5ba7c405e1150501b5ab7f79550

Download Submit