943d591a256cb522424de662ae87d61cb6bd13045af4b1231b74bbd199b948ca

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b4620cc255d277045c85c675c49bd40N.exe
Size

468KB
MD5

5b4620cc255d277045c85c675c49bd40
SHA1

4e50ffa2e22909f63f8a05f42b525aa298c06876
SHA256

943d591a256cb522424de662ae87d61cb6bd13045af4b1231b74bbd199b948ca
SHA512

2f8785c3127d7a0fc282ac3f975b2b72487e0093a3586365a01084b1ec3562dcb6b05f7c39cdd6f25a3dd12d560c866c5df4b2ac870eb5e612a1883983993307
SSDEEP

3072:PbACogId605UtbYSPMam2f8ggpb0PIp2nmHexVbd4J0LyYCW93lq:Pb1oi8UtVPjm2f50UF4JOHCW9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2276	Unicorn-2219.exe
1712	Unicorn-32474.exe
108	Unicorn-11539.exe
2416	Unicorn-54259.exe
2576	Unicorn-2297.exe
2636	Unicorn-22163.exe
2660	Unicorn-3506.exe
2772	Unicorn-7035.exe
2496	Unicorn-23372.exe
2976	Unicorn-58771.exe
2980	Unicorn-13099.exe
1736	Unicorn-47941.exe
2780	Unicorn-14884.exe
2776	Unicorn-2419.exe
2784	Unicorn-38621.exe
2952	Unicorn-63125.exe
2116	Unicorn-10395.exe
2204	Unicorn-30261.exe
1764	Unicorn-18563.exe
1288	Unicorn-46291.exe
1440	Unicorn-18065.exe
2376	Unicorn-45331.exe
2668	Unicorn-33441.exe
1928	Unicorn-12274.exe
2176	Unicorn-62051.exe
960	Unicorn-57453.exe
2312	Unicorn-11781.exe
2004	Unicorn-3421.exe
1612	Unicorn-30230.exe
2020	Unicorn-30230.exe
2228	Unicorn-10364.exe
2404	Unicorn-10172.exe
2900	Unicorn-20137.exe
2728	Unicorn-56680.exe
2716	Unicorn-26276.exe
2676	Unicorn-50780.exe
2680	Unicorn-39658.exe
2608	Unicorn-18492.exe
1752	Unicorn-59332.exe
1720	Unicorn-22938.exe
1692	Unicorn-53084.exe
1656	Unicorn-45300.exe
1808	Unicorn-19535.exe
2788	Unicorn-19535.exe
1280	Unicorn-19452.exe
1824	Unicorn-19452.exe
352	Unicorn-65123.exe
1252	Unicorn-65123.exe
2588	Unicorn-64630.exe
2988	Unicorn-18959.exe
2944	Unicorn-31765.exe
904	Unicorn-18767.exe
1260	Unicorn-41853.exe
2160	Unicorn-24818.exe
2220	Unicorn-12928.exe
1436	Unicorn-25010.exe
1704	Unicorn-56265.exe
1912	Unicorn-42581.exe
2148	Unicorn-49789.exe
2724	Unicorn-29923.exe
2168	Unicorn-22139.exe
2556	Unicorn-43925.exe
2388	Unicorn-57308.exe
1012	Unicorn-3468.exe

Loads dropped DLL 64 IoCs

pid	Process
1744	5b4620cc255d277045c85c675c49bd40N.exe
1744	5b4620cc255d277045c85c675c49bd40N.exe
2276	Unicorn-2219.exe
2276	Unicorn-2219.exe
1744	5b4620cc255d277045c85c675c49bd40N.exe
1744	5b4620cc255d277045c85c675c49bd40N.exe
1712	Unicorn-32474.exe
1712	Unicorn-32474.exe
2276	Unicorn-2219.exe
2276	Unicorn-2219.exe
108	Unicorn-11539.exe
108	Unicorn-11539.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2416	Unicorn-54259.exe
1712	Unicorn-32474.exe
1712	Unicorn-32474.exe
2416	Unicorn-54259.exe
2576	Unicorn-2297.exe
2576	Unicorn-2297.exe
108	Unicorn-11539.exe
2636	Unicorn-22163.exe
2636	Unicorn-22163.exe
108	Unicorn-11539.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
2024	WerFault.exe
1984	WerFault.exe
2660	Unicorn-3506.exe
2660	Unicorn-3506.exe
2772	Unicorn-7035.exe
2772	Unicorn-7035.exe
2416	Unicorn-54259.exe
2416	Unicorn-54259.exe
2976	Unicorn-58771.exe
2976	Unicorn-58771.exe
2496	Unicorn-23372.exe
2496	Unicorn-23372.exe
2576	Unicorn-2297.exe
2980	Unicorn-13099.exe
2576	Unicorn-2297.exe
2980	Unicorn-13099.exe
2636	Unicorn-22163.exe
2636	Unicorn-22163.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2916	1744	WerFault.exe	27
2688	2276	WerFault.exe	28
2024	1712	WerFault.exe	29
1984	108	WerFault.exe	30
2468	2416	WerFault.exe	32
612	2576	WerFault.exe	33
308	2636	WerFault.exe	34
2860	2660	WerFault.exe	37
2336	2772	WerFault.exe	36
2708	2496	WerFault.exe	38
2872	2976	WerFault.exe	39
2876	2980	WerFault.exe	40
1784	1736	WerFault.exe	43
1996	2780	WerFault.exe	44
2344	2776	WerFault.exe	45
2172	2952	WerFault.exe	47
2036	2116	WerFault.exe	49
2408	2204	WerFault.exe	48
628	1764	WerFault.exe	50
1960	2020	WerFault.exe	65
572	1612	WerFault.exe	67
980	2176	WerFault.exe	61
844	2716	WerFault.exe	75
2612	2784	WerFault.exe	46
2508	960	WerFault.exe	62
2992	2900	WerFault.exe	70
2084	1440	WerFault.exe	57
2384	1280	WerFault.exe	87
1504	1288	WerFault.exe	56
2132	1656	WerFault.exe	83
1588	1692	WerFault.exe	82
2592	2676	WerFault.exe	77
1780	2404	WerFault.exe	68
2768	1252	WerFault.exe	89
3004	2004	WerFault.exe	64
2868	1928	WerFault.exe	60
1528	1752	WerFault.exe	80
3084	2228	WerFault.exe	66
3144	2608	WerFault.exe	79
3172	2988	WerFault.exe	91
3180	2680	WerFault.exe	78
3208	2376	WerFault.exe	58
3252	904	WerFault.exe	93
3304	2312	WerFault.exe	63
3528	2724	WerFault.exe	107
3536	1720	WerFault.exe	81
3544	2588	WerFault.exe	90
3564	2944	WerFault.exe	92
3576	352	WerFault.exe	88
3612	2668	WerFault.exe	59
3620	2788	WerFault.exe	85
3628	1824	WerFault.exe	86
3636	1808	WerFault.exe	84
3780	2808	WerFault.exe	118
3772	2728	WerFault.exe	72
3860	1436	WerFault.exe	99
3928	1260	WerFault.exe	94
3452	2160	WerFault.exe	97
3676	2148	WerFault.exe	106
3688	2220	WerFault.exe	98
3796	2760	WerFault.exe	115
3808	1704	WerFault.exe	102
3728	1604	WerFault.exe	131
3848	1476	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22163.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40357.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15378.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56966.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58771.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29923.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55279.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15378.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19535.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47941.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14884.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b4620cc255d277045c85c675c49bd40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25721.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19535.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65079.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1744	5b4620cc255d277045c85c675c49bd40N.exe
2276	Unicorn-2219.exe
1712	Unicorn-32474.exe
108	Unicorn-11539.exe
2416	Unicorn-54259.exe
2576	Unicorn-2297.exe
2636	Unicorn-22163.exe
2772	Unicorn-7035.exe
2660	Unicorn-3506.exe
2496	Unicorn-23372.exe
2980	Unicorn-13099.exe
2976	Unicorn-58771.exe
1736	Unicorn-47941.exe
2780	Unicorn-14884.exe
2776	Unicorn-2419.exe
2784	Unicorn-38621.exe
2952	Unicorn-63125.exe
2204	Unicorn-30261.exe
2116	Unicorn-10395.exe
1764	Unicorn-18563.exe
1288	Unicorn-46291.exe
1440	Unicorn-18065.exe
2376	Unicorn-45331.exe
2668	Unicorn-33441.exe
1928	Unicorn-12274.exe
2176	Unicorn-62051.exe
2312	Unicorn-11781.exe
960	Unicorn-57453.exe
2004	Unicorn-3421.exe
2020	Unicorn-30230.exe
1612	Unicorn-30230.exe
2228	Unicorn-10364.exe
2404	Unicorn-10172.exe
2900	Unicorn-20137.exe
2716	Unicorn-26276.exe
2676	Unicorn-50780.exe
2728	Unicorn-56680.exe
2680	Unicorn-39658.exe
2608	Unicorn-18492.exe
1752	Unicorn-59332.exe
1720	Unicorn-22938.exe
1692	Unicorn-53084.exe
1656	Unicorn-45300.exe
2788	Unicorn-19535.exe
1808	Unicorn-19535.exe
352	Unicorn-65123.exe
1280	Unicorn-19452.exe
1252	Unicorn-65123.exe
1824	Unicorn-19452.exe
2988	Unicorn-18959.exe
2588	Unicorn-64630.exe
2944	Unicorn-31765.exe
904	Unicorn-18767.exe
1260	Unicorn-41853.exe
2160	Unicorn-24818.exe
2220	Unicorn-12928.exe
1436	Unicorn-25010.exe
1704	Unicorn-56265.exe
1912	Unicorn-42581.exe
2148	Unicorn-49789.exe
2724	Unicorn-29923.exe
2168	Unicorn-22139.exe
2556	Unicorn-43925.exe
2388	Unicorn-57308.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2276	1744	5b4620cc255d277045c85c675c49bd40N.exe	28
PID 1744 wrote to memory of 2276	1744	5b4620cc255d277045c85c675c49bd40N.exe	28
PID 1744 wrote to memory of 2276	1744	5b4620cc255d277045c85c675c49bd40N.exe	28
PID 1744 wrote to memory of 2276	1744	5b4620cc255d277045c85c675c49bd40N.exe	28
PID 2276 wrote to memory of 1712	2276	Unicorn-2219.exe	29
PID 2276 wrote to memory of 1712	2276	Unicorn-2219.exe	29
PID 2276 wrote to memory of 1712	2276	Unicorn-2219.exe	29
PID 2276 wrote to memory of 1712	2276	Unicorn-2219.exe	29
PID 1744 wrote to memory of 108	1744	5b4620cc255d277045c85c675c49bd40N.exe	30
PID 1744 wrote to memory of 108	1744	5b4620cc255d277045c85c675c49bd40N.exe	30
PID 1744 wrote to memory of 108	1744	5b4620cc255d277045c85c675c49bd40N.exe	30
PID 1744 wrote to memory of 108	1744	5b4620cc255d277045c85c675c49bd40N.exe	30
PID 1744 wrote to memory of 2916	1744	5b4620cc255d277045c85c675c49bd40N.exe	31
PID 1744 wrote to memory of 2916	1744	5b4620cc255d277045c85c675c49bd40N.exe	31
PID 1744 wrote to memory of 2916	1744	5b4620cc255d277045c85c675c49bd40N.exe	31
PID 1744 wrote to memory of 2916	1744	5b4620cc255d277045c85c675c49bd40N.exe	31
PID 1712 wrote to memory of 2416	1712	Unicorn-32474.exe	32
PID 1712 wrote to memory of 2416	1712	Unicorn-32474.exe	32
PID 1712 wrote to memory of 2416	1712	Unicorn-32474.exe	32
PID 1712 wrote to memory of 2416	1712	Unicorn-32474.exe	32
PID 2276 wrote to memory of 2576	2276	Unicorn-2219.exe	33
PID 2276 wrote to memory of 2576	2276	Unicorn-2219.exe	33
PID 2276 wrote to memory of 2576	2276	Unicorn-2219.exe	33
PID 2276 wrote to memory of 2576	2276	Unicorn-2219.exe	33
PID 108 wrote to memory of 2636	108	Unicorn-11539.exe	34
PID 108 wrote to memory of 2636	108	Unicorn-11539.exe	34
PID 108 wrote to memory of 2636	108	Unicorn-11539.exe	34
PID 108 wrote to memory of 2636	108	Unicorn-11539.exe	34
PID 2276 wrote to memory of 2688	2276	Unicorn-2219.exe	35
PID 2276 wrote to memory of 2688	2276	Unicorn-2219.exe	35
PID 2276 wrote to memory of 2688	2276	Unicorn-2219.exe	35
PID 2276 wrote to memory of 2688	2276	Unicorn-2219.exe	35
PID 1712 wrote to memory of 2660	1712	Unicorn-32474.exe	37
PID 1712 wrote to memory of 2660	1712	Unicorn-32474.exe	37
PID 1712 wrote to memory of 2660	1712	Unicorn-32474.exe	37
PID 1712 wrote to memory of 2660	1712	Unicorn-32474.exe	37
PID 2416 wrote to memory of 2772	2416	Unicorn-54259.exe	36
PID 2416 wrote to memory of 2772	2416	Unicorn-54259.exe	36
PID 2416 wrote to memory of 2772	2416	Unicorn-54259.exe	36
PID 2416 wrote to memory of 2772	2416	Unicorn-54259.exe	36
PID 2576 wrote to memory of 2496	2576	Unicorn-2297.exe	38
PID 2576 wrote to memory of 2496	2576	Unicorn-2297.exe	38
PID 2576 wrote to memory of 2496	2576	Unicorn-2297.exe	38
PID 2576 wrote to memory of 2496	2576	Unicorn-2297.exe	38
PID 2636 wrote to memory of 2980	2636	Unicorn-22163.exe	40
PID 2636 wrote to memory of 2980	2636	Unicorn-22163.exe	40
PID 2636 wrote to memory of 2980	2636	Unicorn-22163.exe	40
PID 2636 wrote to memory of 2980	2636	Unicorn-22163.exe	40
PID 108 wrote to memory of 2976	108	Unicorn-11539.exe	39
PID 108 wrote to memory of 2976	108	Unicorn-11539.exe	39
PID 108 wrote to memory of 2976	108	Unicorn-11539.exe	39
PID 108 wrote to memory of 2976	108	Unicorn-11539.exe	39
PID 1712 wrote to memory of 2024	1712	Unicorn-32474.exe	41
PID 1712 wrote to memory of 2024	1712	Unicorn-32474.exe	41
PID 1712 wrote to memory of 2024	1712	Unicorn-32474.exe	41
PID 1712 wrote to memory of 2024	1712	Unicorn-32474.exe	41
PID 108 wrote to memory of 1984	108	Unicorn-11539.exe	42
PID 108 wrote to memory of 1984	108	Unicorn-11539.exe	42
PID 108 wrote to memory of 1984	108	Unicorn-11539.exe	42
PID 108 wrote to memory of 1984	108	Unicorn-11539.exe	42
PID 2660 wrote to memory of 1736	2660	Unicorn-3506.exe	43
PID 2660 wrote to memory of 1736	2660	Unicorn-3506.exe	43
PID 2660 wrote to memory of 1736	2660	Unicorn-3506.exe	43
PID 2660 wrote to memory of 1736	2660	Unicorn-3506.exe	43

C:\Users\Admin\AppData\Local\Temp\5b4620cc255d277045c85c675c49bd40N.exe
"C:\Users\Admin\AppData\Local\Temp\5b4620cc255d277045c85c675c49bd40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\Unicorn-2219.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-2219.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-32474.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-32474.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54259.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54259.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7035.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7035.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14884.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45331.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45331.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50780.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50780.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3468.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3468.exe
        9⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 236
        11⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 236
        10⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 236
        9⤵
        Program crash
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64215.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64215.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        9⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 216
        10⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 216
        9⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 240
        8⤵
        Program crash
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39658.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10567.exe
        8⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        9⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 216
        10⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 216
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 236
        8⤵
        Program crash
        
        PID:3180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 240
        7⤵
        Program crash
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33441.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33441.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59332.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11527.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11527.exe
        8⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65521.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65521.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42303.exe
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 216
        10⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 236
        9⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 236
        8⤵
        Program crash
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40286.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40286.exe
        7⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30532.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30532.exe
        8⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 236
        9⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 216
        8⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 240
        7⤵
        Program crash
        
        PID:3612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 240
        6⤵
        Program crash
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2419.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2419.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12274.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18492.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18492.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43925.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43925.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        10⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 216
        10⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 216
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 236
        8⤵
        Program crash
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57308.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        8⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 236
        9⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 216
        8⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 240
        7⤵
        Program crash
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22938.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22938.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18051.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42102.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42102.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23907.exe
        9⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 236
        9⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 216
        8⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 236
        7⤵
        Program crash
        
        PID:3536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 240
        6⤵
        Program crash
        
        PID:2344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3506.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3506.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47941.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47941.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46291.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46291.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20137.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20137.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24818.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24818.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57101.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57101.exe
        9⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 236
        10⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 236
        9⤵
        Program crash
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 236
        8⤵
        Program crash
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12928.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12928.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15378.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15378.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 216
        9⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 216
        8⤵
        Program crash
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 240
        7⤵
        Program crash
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56680.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9607.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18020.exe
        8⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39570.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39570.exe
        9⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53791.exe
        10⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 216
        9⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 236
        8⤵
        Program crash
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63691.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63691.exe
        7⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16218.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12125.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12125.exe
        9⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 216
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 240
        7⤵
        Program crash
        
        PID:3772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 240
        6⤵
        Program crash
        
        PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18065.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26276.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26276.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25010.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25010.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55591.exe
        8⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54557.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54557.exe
        9⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40357.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40357.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 236
        10⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 236
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 236
        8⤵
        Program crash
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 236
        7⤵
        Program crash
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56265.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29328.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 236
        8⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 236
        7⤵
        Program crash
        
        PID:3808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 240
        6⤵
        Program crash
        
        PID:2084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 240
        5⤵
        Program crash
        
        PID:2860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2297.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2297.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23372.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23372.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63125.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63125.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30230.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19535.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19535.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25721.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25721.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48890.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48890.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 240
        10⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 216
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 236
        8⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 236
        7⤵
        Program crash
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65123.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51984.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51984.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39959.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63979.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63979.exe
        9⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 236
        9⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 236
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 236
        7⤵
        Program crash
        
        PID:3576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 240
        6⤵
        Program crash
        
        PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10172.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10172.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18959.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25560.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25560.exe
        7⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 216
        9⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 216
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 236
        7⤵
        Program crash
        
        PID:3172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63447.exe
        6⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 216
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 236
        7⤵
        
        PID:3876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 240
        6⤵
        Program crash
        
        PID:1780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 240
        5⤵
        Program crash
        
        PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10395.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10395.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11781.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11781.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19452.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33920.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33920.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13074.exe
        8⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 236
        9⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 236
        8⤵
        Program crash
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 236
        7⤵
        Program crash
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55279.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55279.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        7⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 236
        8⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 216
        7⤵
        
        PID:3900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 240
        6⤵
        Program crash
        
        PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64630.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64630.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16235.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48947.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48947.exe
        7⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41344.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41344.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 236
        8⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 216
        7⤵
        
        PID:4948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 236
        6⤵
        Program crash
        
        PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 240
        5⤵
        Program crash
        
        PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 240
      4⤵
      Program crash
      PID:612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\Unicorn-11539.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-11539.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-22163.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-22163.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13099.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-13099.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30261.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30261.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62051.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19452.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40438.exe
        8⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7473.exe
        9⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18853.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18853.exe
        10⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 236
        10⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 216
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 216
        8⤵
        Program crash
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 236
        7⤵
        Program crash
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31765.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31765.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65435.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65435.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42102.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42102.exe
        8⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 236
        9⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 216
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 216
        7⤵
        Program crash
        
        PID:3564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 240
        6⤵
        Program crash
        
        PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57453.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53084.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42581.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42581.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        8⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 236
        9⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 236
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 236
        7⤵
        Program crash
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29923.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29923.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5046.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5046.exe
        7⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 216
        9⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 236
        8⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 236
        7⤵
        Program crash
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 240
        6⤵
        Program crash
        
        PID:2508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 240
        5⤵
        Program crash
        
        PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18563.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18563.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30230.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19535.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19535.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56966.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56966.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16389.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16389.exe
        8⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 216
        9⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 216
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 236
        7⤵
        Program crash
        
        PID:3636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 216
        6⤵
        Program crash
        
        PID:572
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65123.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33230.exe
        6⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 236
        8⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 216
        7⤵
        Program crash
        
        PID:3728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 236
        6⤵
        Program crash
        
        PID:2768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 220
        5⤵
        Program crash
        
        PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 240
      4⤵
      Program crash
      PID:308
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-58771.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-58771.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38621.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38621.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3421.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3421.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18767.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11527.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11527.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10547.exe
        8⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 216
        9⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 236
        8⤵
        Program crash
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 236
        7⤵
        Program crash
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49415.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49415.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3448.exe
        7⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 216
        8⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 216
        7⤵
        
        PID:4060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 240
        6⤵
        Program crash
        
        PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41853.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41853.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63567.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5823.exe
        7⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 236
        7⤵
        
        PID:1484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 236
        6⤵
        Program crash
        
        PID:3928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 240
        5⤵
        Program crash
        
        PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10364.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10364.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45300.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45300.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49789.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49789.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15378.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15378.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 216
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 216
        7⤵
        Program crash
        
        PID:3676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 236
        6⤵
        Program crash
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22139.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22139.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24488.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24488.exe
        6⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65079.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 216
        7⤵
        
        PID:5680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 216
        6⤵
        
        PID:4288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 240
        5⤵
        Program crash
        
        PID:3084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 240
      4⤵
      Program crash
      PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 240
  2⤵
  - Program crash
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-11539.exe

Filesize
468KB

MD5
b6d724e1ba5ead09073d047cdef11763

SHA1
170bcc7caaf6292876510a612fd77cb854d9687c

SHA256
1dd00755c3190a7fbaa55ab65424c8c8fafc5cc31b96e9cdd038b801f9910f26

SHA512
5107e2fe4ba1530bb7b91e8a6f2d90d8b86a78c883fdd17cbff377461b57a9bfc648d8629e025f07ff495ddf848370879f9d869ff4212d6bf9f1eaa9816280c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-3506.exe

Filesize
468KB

MD5
47fdce27f278aa36b2f35ec92bb39633

SHA1
f6858308f85b48c5ef1fafe8175ba89611758114

SHA256
6a1f0365f62cb65f9aefbe27363f7e435b4b0f92e0ca6bb503748d9e6678e14f

SHA512
4415d3af408758776c09a9591c45f9e8686c08820d85c540b799db84c59a456949d9c24e8dadbfb3174ec7ae556e6bc796e64d2041a341429e54bd4de322354f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39658.exe

Filesize
468KB

MD5
e55daa4df48e9cb839eccb9100dd8e0c

SHA1
efa1c3d2597f3eb371ba6cbf0fc12f69169abf4a

SHA256
fe43fc7de5a7fb3eb5b09f448de1b4d88f8bc42cc3dc06f77d411e73f02b3262

SHA512
de6085f50805e33960755b3f495113635901b37969baf5bbfcb4f8d6b8d41bc06955ed14bcaac3ef31811d0fac4867144a90269f3a478b5e315f49b05ba5a014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-47941.exe

Filesize
468KB

MD5
60d71279247b6dd2bc1dc6077434f327

SHA1
668787afcbcef0c1afe83532f9f95619bb06f3b8

SHA256
9a64b5925e3a5e8231b6d955d3d3c55adfe552dfef2fee431381f1aa8f279f2f

SHA512
8588443dae3bbf73cf53f2d8a448692a8b0945124f26939391b0d1383a7aa6be6d0a6754a8037eb9c1e402d212680de0cfb2eff794f5b6f25ac0a07309802ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-54259.exe

Filesize
468KB

MD5
61881b2486277347e416a1a4ec8f7f67

SHA1
7d97e1236aa3e5b998058c8fdbf5bc30f595b85a

SHA256
2761074a072d7ce7f71bbedc2b17812f1f982db42c66195dae03a01bb004b3e4

SHA512
0bed098c6507f281bde69d94253a9c5cf4483ad20c382f1107db9fd3c00e81a7df680c83ad325609935e5e461c1f5a3adb72f742bcb18cd2fa2e03bf35e700df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-5823.exe

Filesize
468KB

MD5
27dc0c7b542be3b829493fb516dbe952

SHA1
ef375bd1adee5973ae74decabf83c90fe2b34b8b

SHA256
762996b383c3e27ed6e6ce60757f103a5053e09bcbd7f7fd4c6d4819a40ecf95

SHA512
ab7e9dbf885d2138e3a3baf3ff6aec4d52ae5257c56dd3b31c8dbe66de1c65ad344c9b5e060f2f17d8b5cac9a3ba5816fc2a627cd0141e2c809019d6d77e309f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-13099.exe

Filesize
468KB

MD5
ac31b97be40ead29a4cec81973819b1b

SHA1
50409ec91b3792ae07516770b3f771727038f1a7

SHA256
7906459eefc8834a87a089d57c1fe5ce161405ebc23d69e353fd1857a2bc2cae

SHA512
4f3703d571cf5c83ce1209718a712b83751c34b4acf71155265a5e32fc820330ca21163c55fe7d36a99f88265ae33ddac6123a38894b6ea283b8ece73f770999

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-22163.exe

Filesize
468KB

MD5
8a7140d416c3a1f096d3168ceec481a6

SHA1
2fe263f17eedf6a37e755f0a26ddfa3a70a5553a

SHA256
e15ef56e31ec8832570767cf77b3523243229d652751d03ac8265e869955e33c

SHA512
ea1f81652a40d5435f93e3ddd4df023f7a8948e9451c5716e94763b2f4852409d8a3a8058368ab38c60c4fef58592e0a47a75b6e9bd341a518654d67c066e2b1

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-2219.exe

Filesize
468KB

MD5
380f2997ae9ddf880e9184a218ea660d

SHA1
5a071b79adddd397238b929eefc3a9a8a3b61b55

SHA256
bc0c05786e92c1ac63488974e913e0d7fa7efc1298109a625ef87f85f12ee6cd

SHA512
832d1fea4880f7ee86978a63951124f05aefda541dfa3cfafeeee3025dccfe8f767de634ceee9f99247367b1d48470e88095bdd2d06b3566acd3671b5d2e0005

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-2297.exe

Filesize
468KB

MD5
b6b022bbb1156a4999033e74ff886d80

SHA1
98e84558d5fa0e4e3ab9601743a969c8bacbd012

SHA256
e71e504f77f879720f50e405f82013ceee6ac7fc903ed8d4b95fd713ab202019

SHA512
bf567b893da1a8e028005aae1dfbcc7471ded54d1309da5ef34f18c8f6295230a391d68f64ff7a430282b65e35ae35fca5b4ab7eb74ca46dc592388f481ffbae

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-23372.exe

Filesize
468KB

MD5
ac5b12ea12d55d95c55ace6a3a9751e2

SHA1
594dfce9d663fad6c5071fe679b4cb2f8ebd5eba

SHA256
1e03fa44367ce077e60478ba4daf1ad366e5f378dc84e536b7b9aa0a8548e1cd

SHA512
e7cd4b48312adc2ace702313d5d9bb716f1a8a64e2395f851c47f4da77e86967ee6e3a724098516028cc5a48059fc4187592c3e7661115546d05ec08b7216e6f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-32474.exe

Filesize
468KB

MD5
bab3950d2ecf0c5a8d1128eed5585e94

SHA1
d686cee8c6097cc951ff57f4ce9356a33b450e09

SHA256
9200ee65acbe2380cb0ad4cad0fb06b38548cedcc6411513b77e763b65ba3a27

SHA512
fa715d670cfdadd7ebe82db156933af225cf0d19f59404be1f941f54a805ecd6d7c2573f2d8b796a2fc9cca22285a025786407b6ae3324266a0333c929bda389

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-58771.exe

Filesize
468KB

MD5
1ca26a27ac60bb92c4f97295f622015e

SHA1
23e3440319b4791a3dff61d03e74f40b762c8dac

SHA256
f769e1eb072df9b925b7b673631ee2ce9e8a4f90ddd86e17e80721858df64979

SHA512
8525349dd8a3fdd04c989d529b013e9c5803fbb0b536caeada150aa3f12bcd48362d3791ea432a02ebbf4126ecb8b8fffd9ebf8bf9a929eb399b0e2d3cc93565

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-7035.exe

Filesize
468KB

MD5
cd0f16a455280d5ee5753dccc5f11102

SHA1
f9c7d310212f8b6ce9b327704a6bb6ce3c353d95

SHA256
175e398583f6f0e4108954872a9e8f076f8977418cb64f69b45ec879fff55a22

SHA512
280b8d125a1bc4c5d6f68a8fcf8863b0ba855ec92e8712d32a6c25ab7ef6ebbea6568c0b7ed026ace71eab5bc2b01f06a4c21e35ef07658cf9e32f06f4bbbee7

Download Submit