7f8c32c7d6e2e9ca90d3b3b89dd956011a0c6bf4d26e5b91c2bfe3f15c772283

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0615af34108fbd9fe82a3a382497680N.exe
Size

468KB
MD5

d0615af34108fbd9fe82a3a382497680
SHA1

b470478ce3505a53a09e02790183db96c23acec6
SHA256

7f8c32c7d6e2e9ca90d3b3b89dd956011a0c6bf4d26e5b91c2bfe3f15c772283
SHA512

3fb6d282ec499f152ee0446c0f72d4aee40bbabc058a8b57ca32ad91581e265f2152986ae6ff2a0b16463b1bad216db2b2b059ae1dba1991d69905fcda29b4d3
SSDEEP

3072:sbuDorldI03YtbY2PzcTffP/ECXZ4umpnsHCOVhAkaoaNS/7tRlE:sbyoQOYtBP4Tff8hV/kajo/7t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2756	Unicorn-50613.exe
2684	Unicorn-48319.exe
2792	Unicorn-38527.exe
2548	Unicorn-19150.exe
844	Unicorn-47738.exe
1408	Unicorn-27872.exe
1692	Unicorn-57105.exe
676	Unicorn-20157.exe
1152	Unicorn-20903.exe
2328	Unicorn-34499.exe
2840	Unicorn-54365.exe
2112	Unicorn-47432.exe
2200	Unicorn-15122.exe
1208	Unicorn-29835.exe
2968	Unicorn-46918.exe
1328	Unicorn-9414.exe
1828	Unicorn-62507.exe
1656	Unicorn-14053.exe
876	Unicorn-46171.exe
1972	Unicorn-51838.exe
2892	Unicorn-19528.exe
3024	Unicorn-2445.exe
3052	Unicorn-39202.exe
2492	Unicorn-43841.exe
2400	Unicorn-30842.exe
1676	Unicorn-26758.exe
1076	Unicorn-14505.exe
2320	Unicorn-2808.exe
2408	Unicorn-22674.exe
2788	Unicorn-31396.exe
2784	Unicorn-51262.exe
2580	Unicorn-55901.exe
2552	Unicorn-24293.exe
1508	Unicorn-49544.exe
2672	Unicorn-32461.exe
1756	Unicorn-15933.exe
1752	Unicorn-41183.exe
2252	Unicorn-48605.exe
1172	Unicorn-20571.exe
1952	Unicorn-15741.exe
1484	Unicorn-48413.exe
2024	Unicorn-16295.exe
2248	Unicorn-45673.exe
2196	Unicorn-12808.exe
2276	Unicorn-49565.exe
2104	Unicorn-49565.exe
1628	Unicorn-53135.exe
2348	Unicorn-53135.exe
692	Unicorn-20785.exe
1372	Unicorn-15632.exe
900	Unicorn-15632.exe
960	Unicorn-61303.exe
1608	Unicorn-32522.exe
292	Unicorn-54308.exe
2512	Unicorn-831.exe
1760	Unicorn-5662.exe
2712	Unicorn-49648.exe
2972	Unicorn-58646.exe
2616	Unicorn-12974.exe
3068	Unicorn-12974.exe
2568	Unicorn-38033.exe
1892	Unicorn-58454.exe
1492	Unicorn-4422.exe
2396	Unicorn-41179.exe

Loads dropped DLL 64 IoCs

pid	Process
2660	d0615af34108fbd9fe82a3a382497680N.exe
2660	d0615af34108fbd9fe82a3a382497680N.exe
2756	Unicorn-50613.exe
2660	d0615af34108fbd9fe82a3a382497680N.exe
2660	d0615af34108fbd9fe82a3a382497680N.exe
2756	Unicorn-50613.exe
2792	Unicorn-38527.exe
2792	Unicorn-38527.exe
2684	Unicorn-48319.exe
2684	Unicorn-48319.exe
2756	Unicorn-50613.exe
2756	Unicorn-50613.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
844	Unicorn-47738.exe
844	Unicorn-47738.exe
2548	Unicorn-19150.exe
2548	Unicorn-19150.exe
2684	Unicorn-48319.exe
2684	Unicorn-48319.exe
2792	Unicorn-38527.exe
1408	Unicorn-27872.exe
1408	Unicorn-27872.exe
2792	Unicorn-38527.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe
1680	WerFault.exe
480	WerFault.exe
676	Unicorn-20157.exe
676	Unicorn-20157.exe
2548	Unicorn-19150.exe
2548	Unicorn-19150.exe
1692	Unicorn-57105.exe
1692	Unicorn-57105.exe
844	Unicorn-47738.exe
844	Unicorn-47738.exe
2328	Unicorn-34499.exe
2328	Unicorn-34499.exe
2840	Unicorn-54365.exe
2840	Unicorn-54365.exe
1408	Unicorn-27872.exe
1408	Unicorn-27872.exe
1152	Unicorn-20903.exe
1152	Unicorn-20903.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2116	2660	WerFault.exe	29
2992	2756	WerFault.exe	30
1680	2792	WerFault.exe	31
480	2684	WerFault.exe	32
2432	844	WerFault.exe	35
1556	2548	WerFault.exe	34
1996	1408	WerFault.exe	36
2064	676	WerFault.exe	39
2924	1692	WerFault.exe	38
1100	2328	WerFault.exe	41
3004	2840	WerFault.exe	42
1212	1152	WerFault.exe	40
2316	2112	WerFault.exe	45
2464	2200	WerFault.exe	46
1080	2968	WerFault.exe	48
1512	1328	WerFault.exe	49
880	1656	WerFault.exe	51
1516	1208	WerFault.exe	47
2692	1828	WerFault.exe	50
840	876	WerFault.exe	52
988	2892	WerFault.exe	57
2668	3052	WerFault.exe	59
1748	2788	WerFault.exe	66
2652	1076	WerFault.exe	62
1500	2408	WerFault.exe	64
2648	1972	WerFault.exe	56
596	2580	WerFault.exe	68
556	2400	WerFault.exe	61
2780	1756	WerFault.exe	75
588	1372	WerFault.exe	91
2140	2552	WerFault.exe	70
1256	960	WerFault.exe	93
2216	2320	WerFault.exe	65
2680	2248	WerFault.exe	84
2372	1484	WerFault.exe	82
2144	1508	WerFault.exe	71
1872	2252	WerFault.exe	79
1436	1676	WerFault.exe	63
3180	2232	WerFault.exe	117
3308	3024	WerFault.exe	58
3444	2104	WerFault.exe	86
3460	1172	WerFault.exe	80
3452	1952	WerFault.exe	81
3468	2196	WerFault.exe	85
3484	2672	WerFault.exe	73
3476	2492	WerFault.exe	60
3492	1752	WerFault.exe	78
3512	2348	WerFault.exe	88
3520	2784	WerFault.exe	67
3552	1628	WerFault.exe	89
3592	2276	WerFault.exe	87
3728	1608	WerFault.exe	94
3736	900	WerFault.exe	92
3744	692	WerFault.exe	90
3752	2568	WerFault.exe	109
3760	2024	WerFault.exe	83
3768	1492	WerFault.exe	111
3824	1892	WerFault.exe	110
3832	492	WerFault.exe	113
3840	2712	WerFault.exe	105
3964	1760	WerFault.exe	99
4000	292	WerFault.exe	96
4008	2072	WerFault.exe	115
4016	2512	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50613.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49648.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64294.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34803.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63457.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24379.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38685.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0615af34108fbd9fe82a3a382497680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58454.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19150.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48413.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38033.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49565.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22067.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62329.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32461.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47318.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21946.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26758.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64062.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-876.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36149.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-876.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64322.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2660	d0615af34108fbd9fe82a3a382497680N.exe
2756	Unicorn-50613.exe
2792	Unicorn-38527.exe
2684	Unicorn-48319.exe
2548	Unicorn-19150.exe
844	Unicorn-47738.exe
1408	Unicorn-27872.exe
1692	Unicorn-57105.exe
676	Unicorn-20157.exe
1152	Unicorn-20903.exe
2328	Unicorn-34499.exe
2840	Unicorn-54365.exe
2112	Unicorn-47432.exe
2200	Unicorn-15122.exe
1208	Unicorn-29835.exe
2968	Unicorn-46918.exe
1328	Unicorn-9414.exe
1828	Unicorn-62507.exe
1656	Unicorn-14053.exe
876	Unicorn-46171.exe
1972	Unicorn-51838.exe
2892	Unicorn-19528.exe
3024	Unicorn-2445.exe
3052	Unicorn-39202.exe
2492	Unicorn-43841.exe
2400	Unicorn-30842.exe
1676	Unicorn-26758.exe
2320	Unicorn-2808.exe
1076	Unicorn-14505.exe
2408	Unicorn-22674.exe
2788	Unicorn-31396.exe
2784	Unicorn-51262.exe
2580	Unicorn-55901.exe
2552	Unicorn-24293.exe
1508	Unicorn-49544.exe
1756	Unicorn-15933.exe
1752	Unicorn-41183.exe
2672	Unicorn-32461.exe
2252	Unicorn-48605.exe
1172	Unicorn-20571.exe
1952	Unicorn-15741.exe
1484	Unicorn-48413.exe
2024	Unicorn-16295.exe
2248	Unicorn-45673.exe
2196	Unicorn-12808.exe
2276	Unicorn-49565.exe
2104	Unicorn-49565.exe
2348	Unicorn-53135.exe
1628	Unicorn-53135.exe
692	Unicorn-20785.exe
900	Unicorn-15632.exe
1372	Unicorn-15632.exe
960	Unicorn-61303.exe
1608	Unicorn-32522.exe
292	Unicorn-54308.exe
1760	Unicorn-5662.exe
2512	Unicorn-831.exe
2712	Unicorn-49648.exe
2616	Unicorn-12974.exe
2972	Unicorn-58646.exe
3068	Unicorn-12974.exe
2568	Unicorn-38033.exe
1892	Unicorn-58454.exe
1492	Unicorn-4422.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2756	2660	d0615af34108fbd9fe82a3a382497680N.exe	30
PID 2660 wrote to memory of 2756	2660	d0615af34108fbd9fe82a3a382497680N.exe	30
PID 2660 wrote to memory of 2756	2660	d0615af34108fbd9fe82a3a382497680N.exe	30
PID 2660 wrote to memory of 2756	2660	d0615af34108fbd9fe82a3a382497680N.exe	30
PID 2660 wrote to memory of 2684	2660	d0615af34108fbd9fe82a3a382497680N.exe	32
PID 2660 wrote to memory of 2684	2660	d0615af34108fbd9fe82a3a382497680N.exe	32
PID 2660 wrote to memory of 2684	2660	d0615af34108fbd9fe82a3a382497680N.exe	32
PID 2660 wrote to memory of 2684	2660	d0615af34108fbd9fe82a3a382497680N.exe	32
PID 2756 wrote to memory of 2792	2756	Unicorn-50613.exe	31
PID 2756 wrote to memory of 2792	2756	Unicorn-50613.exe	31
PID 2756 wrote to memory of 2792	2756	Unicorn-50613.exe	31
PID 2756 wrote to memory of 2792	2756	Unicorn-50613.exe	31
PID 2660 wrote to memory of 2116	2660	d0615af34108fbd9fe82a3a382497680N.exe	33
PID 2660 wrote to memory of 2116	2660	d0615af34108fbd9fe82a3a382497680N.exe	33
PID 2660 wrote to memory of 2116	2660	d0615af34108fbd9fe82a3a382497680N.exe	33
PID 2660 wrote to memory of 2116	2660	d0615af34108fbd9fe82a3a382497680N.exe	33
PID 2792 wrote to memory of 2548	2792	Unicorn-38527.exe	34
PID 2792 wrote to memory of 2548	2792	Unicorn-38527.exe	34
PID 2792 wrote to memory of 2548	2792	Unicorn-38527.exe	34
PID 2792 wrote to memory of 2548	2792	Unicorn-38527.exe	34
PID 2684 wrote to memory of 844	2684	Unicorn-48319.exe	35
PID 2684 wrote to memory of 844	2684	Unicorn-48319.exe	35
PID 2684 wrote to memory of 844	2684	Unicorn-48319.exe	35
PID 2684 wrote to memory of 844	2684	Unicorn-48319.exe	35
PID 2756 wrote to memory of 1408	2756	Unicorn-50613.exe	36
PID 2756 wrote to memory of 1408	2756	Unicorn-50613.exe	36
PID 2756 wrote to memory of 1408	2756	Unicorn-50613.exe	36
PID 2756 wrote to memory of 1408	2756	Unicorn-50613.exe	36
PID 2756 wrote to memory of 2992	2756	Unicorn-50613.exe	37
PID 2756 wrote to memory of 2992	2756	Unicorn-50613.exe	37
PID 2756 wrote to memory of 2992	2756	Unicorn-50613.exe	37
PID 2756 wrote to memory of 2992	2756	Unicorn-50613.exe	37
PID 844 wrote to memory of 1692	844	Unicorn-47738.exe	38
PID 844 wrote to memory of 1692	844	Unicorn-47738.exe	38
PID 844 wrote to memory of 1692	844	Unicorn-47738.exe	38
PID 844 wrote to memory of 1692	844	Unicorn-47738.exe	38
PID 2548 wrote to memory of 676	2548	Unicorn-19150.exe	39
PID 2548 wrote to memory of 676	2548	Unicorn-19150.exe	39
PID 2548 wrote to memory of 676	2548	Unicorn-19150.exe	39
PID 2548 wrote to memory of 676	2548	Unicorn-19150.exe	39
PID 2684 wrote to memory of 1152	2684	Unicorn-48319.exe	40
PID 2684 wrote to memory of 1152	2684	Unicorn-48319.exe	40
PID 2684 wrote to memory of 1152	2684	Unicorn-48319.exe	40
PID 2684 wrote to memory of 1152	2684	Unicorn-48319.exe	40
PID 1408 wrote to memory of 2840	1408	Unicorn-27872.exe	42
PID 1408 wrote to memory of 2840	1408	Unicorn-27872.exe	42
PID 1408 wrote to memory of 2840	1408	Unicorn-27872.exe	42
PID 1408 wrote to memory of 2840	1408	Unicorn-27872.exe	42
PID 2792 wrote to memory of 2328	2792	Unicorn-38527.exe	41
PID 2792 wrote to memory of 2328	2792	Unicorn-38527.exe	41
PID 2792 wrote to memory of 2328	2792	Unicorn-38527.exe	41
PID 2792 wrote to memory of 2328	2792	Unicorn-38527.exe	41
PID 2792 wrote to memory of 1680	2792	Unicorn-38527.exe	43
PID 2792 wrote to memory of 1680	2792	Unicorn-38527.exe	43
PID 2792 wrote to memory of 1680	2792	Unicorn-38527.exe	43
PID 2792 wrote to memory of 1680	2792	Unicorn-38527.exe	43
PID 2684 wrote to memory of 480	2684	Unicorn-48319.exe	44
PID 2684 wrote to memory of 480	2684	Unicorn-48319.exe	44
PID 2684 wrote to memory of 480	2684	Unicorn-48319.exe	44
PID 2684 wrote to memory of 480	2684	Unicorn-48319.exe	44
PID 676 wrote to memory of 2112	676	Unicorn-20157.exe	45
PID 676 wrote to memory of 2112	676	Unicorn-20157.exe	45
PID 676 wrote to memory of 2112	676	Unicorn-20157.exe	45
PID 676 wrote to memory of 2112	676	Unicorn-20157.exe	45

C:\Users\Admin\AppData\Local\Temp\d0615af34108fbd9fe82a3a382497680N.exe
"C:\Users\Admin\AppData\Local\Temp\d0615af34108fbd9fe82a3a382497680N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\Unicorn-50613.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-50613.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38527.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38527.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19150.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19150.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20157.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47432.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47432.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51838.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51838.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24293.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24293.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54308.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30415.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30415.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 212
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 212
        10⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 232
        9⤵
        Program crash
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5662.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33978.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26523.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26523.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 212
        10⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 232
        9⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 236
        8⤵
        Program crash
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49544.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-831.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        9⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51110.exe
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 212
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 232
        9⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 232
        8⤵
        Program crash
        
        PID:2144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 236
        7⤵
        Program crash
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19528.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19528.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32461.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32461.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17599.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17599.exe
        8⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36246.exe
        9⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18633.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18633.exe
        10⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 212
        10⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 232
        9⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 212
        8⤵
        Program crash
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 232
        7⤵
        Program crash
        
        PID:988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 236
        6⤵
        Program crash
        
        PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15122.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15122.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2445.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2445.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15933.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15933.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49648.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49648.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43888.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36149.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36149.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 212
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 212
        9⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 212
        8⤵
        Program crash
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42059.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64322.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11964.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11964.exe
        10⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 232
        10⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 212
        9⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 212
        8⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 236
        7⤵
        Program crash
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41183.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21683.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45384.exe
        9⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 212
        9⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 212
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 212
        7⤵
        Program crash
        
        PID:3492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 236
        6⤵
        Program crash
        
        PID:2464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 236
        5⤵
        Program crash
        
        PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34499.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34499.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9414.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9414.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30842.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30842.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48413.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48413.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12974.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        9⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14270.exe
        10⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 212
        10⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 232
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 232
        8⤵
        Program crash
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58454.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58454.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3047.exe
        8⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35251.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35251.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55654.exe
        10⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 212
        9⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 212
        8⤵
        Program crash
        
        PID:3824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 236
        7⤵
        Program crash
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16295.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16295.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        7⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64062.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38685.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38685.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 212
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 212
        7⤵
        Program crash
        
        PID:3760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 236
        6⤵
        Program crash
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2808.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2808.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45673.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41179.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41179.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36616.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36616.exe
        9⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 212
        9⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 232
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 232
        7⤵
        Program crash
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2201.exe
        6⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        7⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21946.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 212
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 212
        7⤵
        
        PID:4076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 236
        6⤵
        Program crash
        
        PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 236
        5⤵
        Program crash
        
        PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-27872.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-27872.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54365.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54365.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62507.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22674.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49565.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49565.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62990.exe
        8⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63787.exe
        9⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11964.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11964.exe
        10⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 212
        10⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 232
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 232
        8⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 212
        7⤵
        Program crash
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53135.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53135.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25959.exe
        7⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55415.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55415.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 212
        9⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 232
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 232
        7⤵
        Program crash
        
        PID:3512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 236
        6⤵
        Program crash
        
        PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31396.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12808.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12808.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13213.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13213.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        8⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45384.exe
        9⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 212
        9⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 232
        8⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 212
        7⤵
        Program crash
        
        PID:3468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 232
        6⤵
        Program crash
        
        PID:1748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 236
        5⤵
        Program crash
        
        PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14053.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14053.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14505.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49565.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49565.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13213.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13213.exe
        7⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64294.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64294.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 232
        9⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 212
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 232
        7⤵
        Program crash
        
        PID:3444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 232
        6⤵
        Program crash
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53135.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53135.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52637.exe
        6⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39859.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38306.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38306.exe
        8⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 232
        7⤵
        
        PID:4756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 232
        6⤵
        Program crash
        
        PID:3552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 236
        5⤵
        Program crash
        
        PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 236
      4⤵
      Program crash
      PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\Unicorn-48319.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-48319.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47738.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47738.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57105.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57105.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29835.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29835.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39202.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39202.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48605.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12974.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24379.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24379.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3751.exe
        10⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 232
        10⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 232
        9⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 232
        8⤵
        Program crash
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38033.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-876.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64346.exe
        10⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 212
        9⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 212
        8⤵
        Program crash
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 236
        7⤵
        Program crash
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20571.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20571.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2222.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2222.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50793.exe
        8⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34803.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34803.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 212
        9⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 232
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 232
        7⤵
        Program crash
        
        PID:3460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 236
        6⤵
        Program crash
        
        PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43841.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15741.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9238.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 236
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 232
        7⤵
        Program crash
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43810.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43810.exe
        6⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36246.exe
        7⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59665.exe
        8⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 212
        8⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 212
        7⤵
        
        PID:4696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 236
        6⤵
        Program crash
        
        PID:3476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 236
        5⤵
        Program crash
        
        PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46918.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46918.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26758.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26758.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20785.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20785.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1262.exe
        7⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 236
        8⤵
        Program crash
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62329.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1928.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1928.exe
        9⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 212
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 236
        7⤵
        Program crash
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9793.exe
        6⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61135.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61135.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25324.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 232
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 232
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 236
        6⤵
        Program crash
        
        PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61303.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22067.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3958.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21946.exe
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 212
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 232
        7⤵
        Program crash
        
        PID:4008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 232
        6⤵
        Program crash
        
        PID:1256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 236
        5⤵
        Program crash
        
        PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-20903.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-20903.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46171.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46171.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51262.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15632.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43591.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5100.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5100.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21456.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21456.exe
        9⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 212
        9⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 212
        8⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 212
        7⤵
        Program crash
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31256.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31256.exe
        6⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63621.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63621.exe
        7⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28472.exe
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 212
        8⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 232
        7⤵
        
        PID:4656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 236
        6⤵
        Program crash
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32522.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32522.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        6⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-876.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14180.exe
        8⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 212
        7⤵
        
        PID:4948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 232
        6⤵
        Program crash
        
        PID:3728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 236
        5⤵
        Program crash
        
        PID:840
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55901.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55901.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15632.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4422.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4422.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63457.exe
        7⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61047.exe
        8⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30138.exe
        9⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 212
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 232
        7⤵
        Program crash
        
        PID:3768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 232
        6⤵
        Program crash
        
        PID:588
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47318.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47318.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:492
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11324.exe
        6⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49885.exe
        7⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34601.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34601.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 212
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 232
        6⤵
        Program crash
        
        PID:3832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 236
        5⤵
        Program crash
        
        PID:596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 236
      4⤵
      Program crash
      PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 236
  2⤵
  - Program crash
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-19150.exe

Filesize
468KB

MD5
5f50d0dd49f71bc7db58b0ef87a7a828

SHA1
5c111b563a6b389fd573ae9393d46b8664c77d65

SHA256
f91ebe8ac56e6d3b4b8a5bfd91255e89f8e2e565792ed9ed729741d8a686d351

SHA512
5e4fe6b11309fb72762e24cd96255511df22743fb5098f9afeaac3cb1d378917b86d93d55ac2dd8f099aa252edd502b1f45499b627c1f08cd01423ab778b276f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-20903.exe

Filesize
468KB

MD5
67b1a08e74c86d24d7b64c2544d23b1e

SHA1
c26e34492a6000bcc3a4c4c626d03da022278c4c

SHA256
f3a1c0ecbbc9452c461912bf33f307d2c7eb411e34228ecd7690ef383ef71788

SHA512
10023e448bf73dc445c0b559301cf9ec6bd83964aaa2a09d0c21308dda3fe8e3c6be006c79906ed0d753be05f7995755a65b79ec4da67fd5b29fbb4a9bbfa00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-26523.exe

Filesize
468KB

MD5
15b875be815389928d21e5cac8765dee

SHA1
279fbd55c497f0fab0f324d2cbeddf98b40ea1c6

SHA256
6e2507a5ee074b18ccd3686c245f642c222fabe15670d4db9358f3af778ec639

SHA512
8b6491f0b7d8a28f8892157c75ed5828696c8e40f33b6e599de8e7f1007d7853f941774f0139c3b23f947689101ee4de99b6493b526cb3716f40732e69117fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-43810.exe

Filesize
468KB

MD5
8da14fe9f68b7546e03b8360d8e9d0aa

SHA1
b64ee9f6c6c268b707b420f8b8db5bc2dd0fa971

SHA256
37ead5ef91444c129790782ba75e4d616e4f63ed008f7d85fb77fb3ac70013da

SHA512
9629867930cf086000012c994db6e90f58f3ff56c4b95c01a59ac63a7c805ca1fcc0345491c4d3c8b7bce70f742ac8085c94feda1091a05e58d978e82e5b4081

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-47738.exe

Filesize
468KB

MD5
2e9611aa371560ff5906134b91f52add

SHA1
41ecb0fa7db3a1c279d89e43877060e204de9f26

SHA256
28903f848aec0458e9bd70016a0b2b49ab76ec44ac3a8c56ef56d51f7be3b5f5

SHA512
a148444cbafddaef254ee7dd539f3b7392241b9de346c39022232e4eb2648e44865aa64ee08b469087cdb49e905d4c53b47934ad381d074ca2a0de063d151de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-48319.exe

Filesize
468KB

MD5
457ed464bb3b2dc0f2ab3b6f3c9a60d9

SHA1
ab93acdd4c27d584d0a8139def0dc0d48c0a2924

SHA256
7ba31b110f8151a4d761d8079f7a7df7bbcf0b94de9e614e3fb31772d4530ff2

SHA512
2b57e0e3008d1e038b7de0c03224e9a266f7f2f3fe842b0b43d81c74b2f22475ae1e6e37e214c5c20ecb0d5022d31bcd5b5b3b082b1059d08790d748e96e2b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-54365.exe

Filesize
468KB

MD5
f6e4918a42b233e17a199be6e27e32be

SHA1
a71adb978ebc119ebbde48b3c5e8f3d231940e08

SHA256
6a2edb0078017bdb6e1d6b13aea830e7f4b8556ea6e7133db51aca3ce03c4fdd

SHA512
e323af6753d906ed1a2046b457f34792945e6b65b17487c8d4a6a57b3964958e69fd3c9490aa6e30de2b4426bb19a0ee752a626dbf58cb2b7ab3fb8de14716f7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-20157.exe

Filesize
468KB

MD5
85ef77313bbc22b7463497b752bf6359

SHA1
0ee8ca92c5c79f3fedf1e87cd7272dfa195f4aab

SHA256
968cb150d690a74f8a937f013e2c338f74992b903a75750d083e6efd57566eba

SHA512
f10c4d1aeee326ede3c6e6298c17a260414afad38fe500f54d5a58a4869f9dae122e486d23d5480ca85d12936e3d701f420c095678fdf0bd305f45fd0ed8bd36

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-27872.exe

Filesize
468KB

MD5
08d2357f13bc748a6ec069cc43a26d09

SHA1
5dc35c3093e47a2d548f3db061fb4e89810fdfab

SHA256
c5ba20306b16b12e5c794b95ede8aa2f6d37a7293a5b5da2e17d025089d5e987

SHA512
f58bd06a33b970f371f03bccf3fbbbf9eb4d513e37729a1adda991b59d4408c01b995fa319e3d19564c2d83f75654a704dfccca795ce6d42dd853dc2f134d92f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-34499.exe

Filesize
468KB

MD5
cbdcdb65937b263d4681e22088418e79

SHA1
f9d64331f2407f1856934dea5b6361990e30a1a1

SHA256
9dbae12d3b6d5fab3cef36063b278d8c4c50169d68b192d134c51fe05a121be5

SHA512
d77c295694d5194b19ee84dbfaf488360230ddf586f764e33784570fdb52fb2020cac5dda489446f8239e02ae9f262a01fb607d68006778154a961d8b1c9fdcb

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-38527.exe

Filesize
468KB

MD5
18008713c09b92d3a9ae8b818e1696a9

SHA1
65c31a6355c67ff693e5773cb825582d65d03348

SHA256
0c7e4894465b71e6fd890cfb59d4fe43878262280350bca6c18fd2c6235b3a51

SHA512
cebc78271a1f756afb2b711d43d70ae71a2931b64ad26195ddee75ff2c13ee315a61dd970421a49347b5a04f7b76eb814ad715f131c0a6ddc38929f55aec0ec5

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-47432.exe

Filesize
468KB

MD5
8acad9b91baceb08d692fc336a11811d

SHA1
9e313d84e05eaf1094e660db9a9b43c53b673289

SHA256
34569f7c2f6739c0211e2d3743748fdbc3029caa117738955087b1ea04d58f06

SHA512
e23442297a00adf733b8ef040fa9e057cbd2a98c473923c7465d5d5c97bc70b77be3f835559e652b1268cfb411d5592b53422e60ad506916f39dfacd3346dab2

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50613.exe

Filesize
468KB

MD5
2ba3bce32f791fbab7e0e96540b1fd23

SHA1
7e13cfce210ba6cb1b9b8ae987e6f3666ff00425

SHA256
1ccbb3cf873ca0c73d4884f16d767a9e3772cc7c2b4fafbb120a7b7430ee85c2

SHA512
73f721dba0055f24eb309e11bb32c0a8dd7d5577d312fc1ca0ff0979ea2aa39793ed524c5a613d7edfdab570af9bb53130aeadda39338b582119cb4d830eb9d6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57105.exe

Filesize
468KB

MD5
198f099112a72d6968894fc62de342b0

SHA1
101c1933296d66e36ef1367b2574d43b30d6e2f3

SHA256
ba363dc17c85f2a8a667600c70fa09b3159160c72c81f4bb465cb8e3c55841c5

SHA512
12639f9aced86de860cfff5fda5bb95baf6bce613f0bcd12f58523a69ffe8efe85c6b3cfd1131ff5cfaf710274fb2b36a3a63f8a708d58e386fc59d063f7fc58

Download Submit