3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 00:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
Size

468KB
MD5

ef83f023d4091e00cd6a63f031666850
SHA1

b66f9b5781ac99a3f7941bb22fd871f01d8c8a36
SHA256

3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777
SHA512

b0b2b07e99bd5a956b38f7f982b549b7829dc039f45527c3f24b2c3f95c8900697a7affa6a19f3db6437c3a1f4b911000caf469a9d1b22359d66e0f1e389b6c6
SSDEEP

3072:VPqjovOWI35vtbYZJe+5OfDtrrCdkiIpXlmHeASwe3lmv56U9SDKx:VPCoIJvtmJh5Of20X/3ls8U9S

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2272	Unicorn-16481.exe
2208	Unicorn-18425.exe
2260	Unicorn-42868.exe
3036	Unicorn-6824.exe
2708	Unicorn-38022.exe
2652	Unicorn-52268.exe
2552	Unicorn-17883.exe
2536	Unicorn-12262.exe
2568	Unicorn-57934.exe
1644	Unicorn-30335.exe
1632	Unicorn-10469.exe
2776	Unicorn-39836.exe
1784	Unicorn-8538.exe
1500	Unicorn-60910.exe
2224	Unicorn-27273.exe
2064	Unicorn-21736.exe
2680	Unicorn-21736.exe
2128	Unicorn-40520.exe
2276	Unicorn-57843.exe
768	Unicorn-57736.exe
2196	Unicorn-24689.exe
2188	Unicorn-43948.exe
1664	Unicorn-4773.exe
1760	Unicorn-22951.exe
1648	Unicorn-59677.exe
1652	Unicorn-26023.exe
1388	Unicorn-14882.exe
1888	Unicorn-42904.exe
1712	Unicorn-62770.exe
2380	Unicorn-59070.exe
2468	Unicorn-19879.exe
2248	Unicorn-9402.exe
788	Unicorn-45888.exe
2992	Unicorn-53693.exe
1136	Unicorn-33827.exe
2760	Unicorn-5338.exe
2664	Unicorn-33761.exe
2856	Unicorn-13895.exe
2560	Unicorn-16967.exe
2184	Unicorn-33237.exe
1460	Unicorn-16443.exe
1324	Unicorn-36309.exe
2016	Unicorn-17651.exe
1728	Unicorn-60022.exe
2800	Unicorn-64827.exe
2792	Unicorn-19156.exe
1108	Unicorn-62539.exe
916	Unicorn-42673.exe
1032	Unicorn-62539.exe
648	Unicorn-62539.exe
2956	Unicorn-13011.exe
2164	Unicorn-40125.exe
2316	Unicorn-26664.exe
1704	Unicorn-31391.exe
1672	Unicorn-6232.exe
1804	Unicorn-7540.exe
1864	Unicorn-33279.exe
2112	Unicorn-34588.exe
668	Unicorn-28901.exe
2220	Unicorn-28901.exe
2692	Unicorn-2891.exe
3052	Unicorn-12668.exe
2620	Unicorn-2567.exe
2532	Unicorn-22433.exe

Loads dropped DLL 64 IoCs

pid	Process
1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
2272	Unicorn-16481.exe
1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
2272	Unicorn-16481.exe
2260	Unicorn-42868.exe
2260	Unicorn-42868.exe
2208	Unicorn-18425.exe
2272	Unicorn-16481.exe
2272	Unicorn-16481.exe
2208	Unicorn-18425.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2652	Unicorn-52268.exe
2652	Unicorn-52268.exe
3036	Unicorn-6824.exe
3036	Unicorn-6824.exe
2208	Unicorn-18425.exe
2208	Unicorn-18425.exe
2260	Unicorn-42868.exe
2708	Unicorn-38022.exe
2708	Unicorn-38022.exe
2260	Unicorn-42868.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
396	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
396	WerFault.exe
2552	Unicorn-17883.exe
2552	Unicorn-17883.exe
2652	Unicorn-52268.exe
2652	Unicorn-52268.exe
1632	Unicorn-10469.exe
1632	Unicorn-10469.exe
2568	Unicorn-57934.exe
2568	Unicorn-57934.exe
1644	Unicorn-30335.exe
2536	Unicorn-12262.exe
1644	Unicorn-30335.exe
2536	Unicorn-12262.exe
3036	Unicorn-6824.exe
2708	Unicorn-38022.exe
3036	Unicorn-6824.exe
2708	Unicorn-38022.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3004	1820	WerFault.exe	27
2780	2272	WerFault.exe	28
396	2260	WerFault.exe	29
1372	2208	WerFault.exe	30
2484	2652	WerFault.exe	33
760	3036	WerFault.exe	32
1092	2708	WerFault.exe	34
2236	2552	WerFault.exe	36
2720	1632	WerFault.exe	39
2752	2568	WerFault.exe	38
2628	1644	WerFault.exe	40
2728	2536	WerFault.exe	37
1584	2776	WerFault.exe	43
1956	1784	WerFault.exe	44
2140	1500	WerFault.exe	45
3044	2224	WerFault.exe	46
2920	2064	WerFault.exe	48
2924	2680	WerFault.exe	47
2968	2276	WerFault.exe	50
1884	768	WerFault.exe	54
2936	2188	WerFault.exe	56
2632	2468	WerFault.exe	65
3032	1388	WerFault.exe	61
2124	2128	WerFault.exe	49
2488	2992	WerFault.exe	69
1096	2220	WerFault.exe	104
1688	2196	WerFault.exe	55
2868	2016	WerFault.exe	82
2748	1136	WerFault.exe	70
2556	788	WerFault.exe	68
2528	668	WerFault.exe	105
2640	1664	WerFault.exe	57
2200	2760	WerFault.exe	73
2268	1460	WerFault.exe	80
924	1760	WerFault.exe	58
3060	2664	WerFault.exe	76
2860	1728	WerFault.exe	83
2952	1324	WerFault.exe	81
840	2164	WerFault.exe	91
3104	1648	WerFault.exe	59
3144	2560	WerFault.exe	78
3152	2184	WerFault.exe	79
3272	2856	WerFault.exe	77
3392	2792	WerFault.exe	85
3444	1652	WerFault.exe	60
3556	1712	WerFault.exe	63
3580	1032	WerFault.exe	88
3668	2248	WerFault.exe	66
3724	648	WerFault.exe	87
3776	2800	WerFault.exe	84
3896	2380	WerFault.exe	64
3904	2956	WerFault.exe	90
3912	1888	WerFault.exe	62
3920	916	WerFault.exe	89
4084	1108	WerFault.exe	86
4092	1672	WerFault.exe	95
3268	1968	WerFault.exe	115
3528	2316	WerFault.exe	92
3664	1804	WerFault.exe	97
3748	1864	WerFault.exe	99
3928	1496	WerFault.exe	116
3752	2112	WerFault.exe	100
3996	1704	WerFault.exe	94
4068	2132	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41228.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17518.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29044.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62539.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62539.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42546.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8849.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17518.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43168.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33237.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57614.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5338.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1686.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58529.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52268.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34062.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41228.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24438.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
2272	Unicorn-16481.exe
2260	Unicorn-42868.exe
2208	Unicorn-18425.exe
3036	Unicorn-6824.exe
2652	Unicorn-52268.exe
2708	Unicorn-38022.exe
2552	Unicorn-17883.exe
1632	Unicorn-10469.exe
2536	Unicorn-12262.exe
1644	Unicorn-30335.exe
2568	Unicorn-57934.exe
2776	Unicorn-39836.exe
1784	Unicorn-8538.exe
1500	Unicorn-60910.exe
2224	Unicorn-27273.exe
2064	Unicorn-21736.exe
2680	Unicorn-21736.exe
2128	Unicorn-40520.exe
2276	Unicorn-57843.exe
768	Unicorn-57736.exe
2196	Unicorn-24689.exe
2188	Unicorn-43948.exe
1664	Unicorn-4773.exe
1760	Unicorn-22951.exe
1648	Unicorn-59677.exe
1652	Unicorn-26023.exe
1888	Unicorn-42904.exe
1712	Unicorn-62770.exe
1388	Unicorn-14882.exe
2380	Unicorn-59070.exe
2468	Unicorn-19879.exe
2248	Unicorn-9402.exe
788	Unicorn-45888.exe
2992	Unicorn-53693.exe
1136	Unicorn-33827.exe
2760	Unicorn-5338.exe
2664	Unicorn-33761.exe
2856	Unicorn-13895.exe
2560	Unicorn-16967.exe
2184	Unicorn-33237.exe
1460	Unicorn-16443.exe
1324	Unicorn-36309.exe
2016	Unicorn-17651.exe
1728	Unicorn-60022.exe
2792	Unicorn-19156.exe
648	Unicorn-62539.exe
2800	Unicorn-64827.exe
1032	Unicorn-62539.exe
916	Unicorn-42673.exe
1108	Unicorn-62539.exe
2956	Unicorn-13011.exe
2164	Unicorn-40125.exe
2316	Unicorn-26664.exe
1704	Unicorn-31391.exe
1672	Unicorn-6232.exe
1804	Unicorn-7540.exe
1864	Unicorn-33279.exe
2112	Unicorn-34588.exe
668	Unicorn-28901.exe
2220	Unicorn-28901.exe
2692	Unicorn-2891.exe
3052	Unicorn-12668.exe
2620	Unicorn-2567.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2272	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	28
PID 1820 wrote to memory of 2272	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	28
PID 1820 wrote to memory of 2272	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	28
PID 1820 wrote to memory of 2272	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	28
PID 1820 wrote to memory of 2208	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	30
PID 1820 wrote to memory of 2208	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	30
PID 1820 wrote to memory of 2208	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	30
PID 1820 wrote to memory of 2208	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	30
PID 2272 wrote to memory of 2260	2272	Unicorn-16481.exe	29
PID 2272 wrote to memory of 2260	2272	Unicorn-16481.exe	29
PID 2272 wrote to memory of 2260	2272	Unicorn-16481.exe	29
PID 2272 wrote to memory of 2260	2272	Unicorn-16481.exe	29
PID 1820 wrote to memory of 3004	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	31
PID 1820 wrote to memory of 3004	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	31
PID 1820 wrote to memory of 3004	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	31
PID 1820 wrote to memory of 3004	1820	3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe	31
PID 2260 wrote to memory of 3036	2260	Unicorn-42868.exe	32
PID 2260 wrote to memory of 3036	2260	Unicorn-42868.exe	32
PID 2260 wrote to memory of 3036	2260	Unicorn-42868.exe	32
PID 2260 wrote to memory of 3036	2260	Unicorn-42868.exe	32
PID 2272 wrote to memory of 2708	2272	Unicorn-16481.exe	34
PID 2272 wrote to memory of 2708	2272	Unicorn-16481.exe	34
PID 2272 wrote to memory of 2708	2272	Unicorn-16481.exe	34
PID 2272 wrote to memory of 2708	2272	Unicorn-16481.exe	34
PID 2208 wrote to memory of 2652	2208	Unicorn-18425.exe	33
PID 2208 wrote to memory of 2652	2208	Unicorn-18425.exe	33
PID 2208 wrote to memory of 2652	2208	Unicorn-18425.exe	33
PID 2208 wrote to memory of 2652	2208	Unicorn-18425.exe	33
PID 2272 wrote to memory of 2780	2272	Unicorn-16481.exe	35
PID 2272 wrote to memory of 2780	2272	Unicorn-16481.exe	35
PID 2272 wrote to memory of 2780	2272	Unicorn-16481.exe	35
PID 2272 wrote to memory of 2780	2272	Unicorn-16481.exe	35
PID 2652 wrote to memory of 2552	2652	Unicorn-52268.exe	36
PID 2652 wrote to memory of 2552	2652	Unicorn-52268.exe	36
PID 2652 wrote to memory of 2552	2652	Unicorn-52268.exe	36
PID 2652 wrote to memory of 2552	2652	Unicorn-52268.exe	36
PID 3036 wrote to memory of 2536	3036	Unicorn-6824.exe	37
PID 3036 wrote to memory of 2536	3036	Unicorn-6824.exe	37
PID 3036 wrote to memory of 2536	3036	Unicorn-6824.exe	37
PID 3036 wrote to memory of 2536	3036	Unicorn-6824.exe	37
PID 2208 wrote to memory of 2568	2208	Unicorn-18425.exe	38
PID 2208 wrote to memory of 2568	2208	Unicorn-18425.exe	38
PID 2208 wrote to memory of 2568	2208	Unicorn-18425.exe	38
PID 2208 wrote to memory of 2568	2208	Unicorn-18425.exe	38
PID 2708 wrote to memory of 1644	2708	Unicorn-38022.exe	40
PID 2708 wrote to memory of 1644	2708	Unicorn-38022.exe	40
PID 2708 wrote to memory of 1644	2708	Unicorn-38022.exe	40
PID 2708 wrote to memory of 1644	2708	Unicorn-38022.exe	40
PID 2260 wrote to memory of 1632	2260	Unicorn-42868.exe	39
PID 2260 wrote to memory of 1632	2260	Unicorn-42868.exe	39
PID 2260 wrote to memory of 1632	2260	Unicorn-42868.exe	39
PID 2260 wrote to memory of 1632	2260	Unicorn-42868.exe	39
PID 2260 wrote to memory of 396	2260	Unicorn-42868.exe	41
PID 2260 wrote to memory of 396	2260	Unicorn-42868.exe	41
PID 2260 wrote to memory of 396	2260	Unicorn-42868.exe	41
PID 2260 wrote to memory of 396	2260	Unicorn-42868.exe	41
PID 2208 wrote to memory of 1372	2208	Unicorn-18425.exe	42
PID 2208 wrote to memory of 1372	2208	Unicorn-18425.exe	42
PID 2208 wrote to memory of 1372	2208	Unicorn-18425.exe	42
PID 2208 wrote to memory of 1372	2208	Unicorn-18425.exe	42
PID 2552 wrote to memory of 2776	2552	Unicorn-17883.exe	43
PID 2552 wrote to memory of 2776	2552	Unicorn-17883.exe	43
PID 2552 wrote to memory of 2776	2552	Unicorn-17883.exe	43
PID 2552 wrote to memory of 2776	2552	Unicorn-17883.exe	43

C:\Users\Admin\AppData\Local\Temp\3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe
"C:\Users\Admin\AppData\Local\Temp\3d1b9a6b6e3a6d1f8610fda8ddedaec36fd48a71db46fbc951cb139865b12777N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\Unicorn-16481.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-16481.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-42868.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-42868.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6824.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6824.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12262.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21736.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21736.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14882.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62025.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62025.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17518.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17518.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46672.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46672.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 212
        11⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 212
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 232
        9⤵
        Program crash
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 232
        8⤵
        Program crash
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40125.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40125.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42526.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39057.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39057.exe
        9⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        10⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 232
        10⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 232
        9⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 232
        8⤵
        Program crash
        
        PID:840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236
        7⤵
        Program crash
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42904.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1686.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1686.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37375.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 208
        10⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 212
        9⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 232
        8⤵
        Program crash
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22680.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29909.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29909.exe
        9⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 212
        9⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 212
        8⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 236
        7⤵
        Program crash
        
        PID:3912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 216
        6⤵
        Program crash
        
        PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40520.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59070.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59070.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13011.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42546.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56253.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56253.exe
        9⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60520.exe
        10⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60671.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60671.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 212
        10⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 212
        9⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 232
        8⤵
        Program crash
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22680.exe
        7⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46317.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46317.exe
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 212
        9⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 212
        8⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 236
        7⤵
        Program crash
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26664.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-882.exe
        7⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17518.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17518.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 236
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 212
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 232
        7⤵
        Program crash
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 236
        6⤵
        Program crash
        
        PID:2124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 236
        5⤵
        Program crash
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10469.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10469.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60910.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4773.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33761.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18998.exe
        8⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49583.exe
        9⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        10⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 212
        10⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 232
        9⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 232
        8⤵
        Program crash
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33174.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33174.exe
        7⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52385.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        9⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 212
        9⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 232
        8⤵
        Program crash
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 236
        7⤵
        Program crash
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16967.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16967.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28901.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28901.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 200
        8⤵
        Program crash
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 232
        7⤵
        Program crash
        
        PID:3144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 236
        6⤵
        Program crash
        
        PID:2140
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22951.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22951.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36309.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12668.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57614.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57614.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37869.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37869.exe
        10⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 232
        9⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 212
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 232
        7⤵
        Program crash
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2567.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37658.exe
        7⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 212
        8⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 232
        7⤵
        
        PID:3404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 236
        6⤵
        Program crash
        
        PID:924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 236
        5⤵
        Program crash
        
        PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:396
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38022.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38022.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30335.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30335.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21736.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21736.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62770.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62770.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60022.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60022.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21546.exe
        8⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34062.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 232
        10⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 232
        9⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 232
        8⤵
        Program crash
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46709.exe
        7⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48329.exe
        8⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 212
        9⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 232
        8⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 236
        7⤵
        Program crash
        
        PID:3556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64827.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38277.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38277.exe
        7⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        8⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 216
        9⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 232
        8⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 232
        7⤵
        Program crash
        
        PID:3776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 236
        6⤵
        Program crash
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19879.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62539.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42546.exe
        7⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31796.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31796.exe
        8⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43172.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43172.exe
        9⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 232
        9⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 212
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 212
        7⤵
        Program crash
        
        PID:3580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 212
        6⤵
        Program crash
        
        PID:2632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 236
        5⤵
        Program crash
        
        PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57843.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57843.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9402.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19156.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19156.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37680.exe
        7⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8767.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50364.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50364.exe
        9⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 232
        9⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 232
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 232
        7⤵
        Program crash
        
        PID:3392
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40564.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24438.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10631.exe
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 232
        8⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 212
        7⤵
        
        PID:4288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 236
        6⤵
        Program crash
        
        PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42673.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41918.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41918.exe
        6⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41228.exe
        7⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1472.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 212
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 212
        7⤵
        
        PID:4372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 212
        6⤵
        Program crash
        
        PID:3920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 236
        5⤵
        Program crash
        
        PID:2968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 236
      4⤵
      Program crash
      PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\Unicorn-18425.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-18425.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-52268.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-52268.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17883.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17883.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39836.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39836.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57736.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57736.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45888.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31391.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58529.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58529.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 212
        10⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 212
        9⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 232
        8⤵
        Program crash
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6232.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6232.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62025.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62025.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60721.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60721.exe
        9⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43168.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43168.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63719.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63719.exe
        11⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 232
        10⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 212
        9⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 212
        8⤵
        Program crash
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 236
        7⤵
        Program crash
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33827.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34588.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34588.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33215.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33215.exe
        8⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55414.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55414.exe
        10⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 212
        9⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 232
        8⤵
        Program crash
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 232
        7⤵
        Program crash
        
        PID:2748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 236
        6⤵
        Program crash
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24689.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24689.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53693.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7540.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57047.exe
        8⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8849.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8849.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36753.exe
        10⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 232
        10⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 212
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 232
        8⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 232
        7⤵
        Program crash
        
        PID:2488
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33279.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33279.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41484.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41484.exe
        7⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 212
        8⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 212
        7⤵
        Program crash
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 236
        6⤵
        Program crash
        
        PID:1688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 236
        5⤵
        Program crash
        
        PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8538.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8538.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43948.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43948.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5338.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5338.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50331.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50331.exe
        7⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10013.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10013.exe
        8⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        9⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 212
        9⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 232
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 212
        7⤵
        Program crash
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27393.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27393.exe
        6⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55881.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55881.exe
        7⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29044.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29044.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4544.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63267.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63267.exe
        10⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 232
        9⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 232
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 232
        7⤵
        Program crash
        
        PID:3268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 236
        6⤵
        Program crash
        
        PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13895.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13895.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7959.exe
        6⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64833.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64833.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 232
        8⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 212
        7⤵
        
        PID:3168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 232
        6⤵
        Program crash
        
        PID:3272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 236
        5⤵
        Program crash
        
        PID:1956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57934.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57934.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27273.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27273.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59677.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59677.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33237.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33237.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28901.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28901.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 200
        8⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 212
        7⤵
        Program crash
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2891.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3151.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3151.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 232
        8⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 232
        7⤵
        
        PID:3612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 236
        6⤵
        Program crash
        
        PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16443.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16443.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22433.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22433.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-797.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-797.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 212
        8⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 212
        7⤵
        
        PID:3076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 232
        6⤵
        Program crash
        
        PID:2268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 236
        5⤵
        Program crash
        
        PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26023.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26023.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17651.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17651.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61369.exe
        6⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62649.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62649.exe
        7⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46363.exe
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 212
        8⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 212
        7⤵
        Program crash
        
        PID:3928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 232
        6⤵
        Program crash
        
        PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62718.exe
        5⤵
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8767.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50364.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50364.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 212
        7⤵
        
        PID:5476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 212
        6⤵
        
        PID:4100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 236
        5⤵
        Program crash
        
        PID:3444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 236
      4⤵
      Program crash
      PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 236
  2⤵
  - Program crash
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-17883.exe

Filesize
468KB

MD5
1c62c26855bf50107b4ecf47f1392f15

SHA1
cc042e73a3693f106f577081a76b134c1ea79a86

SHA256
e34a9aaf2757fb1ad19318b25bbda100d1d743cab62a775eade59ffa8268556a

SHA512
922b5735e8b50309c6ab645197046f10b5ddd8b4b5b6a8a07e5c7b23667fac1405b5ea1dbb5bfd80785cf938b6371b900ff138be5150e86156030d9349b90eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-18425.exe

Filesize
468KB

MD5
71de4f1258b294ee306178fa20b99b1b

SHA1
e475c66dd88256b0bbd9cdd3d5537c01855f73dc

SHA256
894f46a46881030a05850664b101fcc7357905a5ae93a94737697337490e171a

SHA512
25eebea716736ea55c2df9044e16b695a96d1e0f082b9679f54523e8cff184f9af0804175aa1b43d3332663408259d1db73d352055b0fcb69394cec91cb73ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6824.exe

Filesize
468KB

MD5
58440e78df5478b6bedb5746c36dde2b

SHA1
e18a2cbe42ff16ef4d06cae5ae2734d19ef3bca7

SHA256
ab58146025d704d3a0a92bd2d9ab34fa93098e1877938fd389ec28f2d6ad38c8

SHA512
80a48a2822089645c5c7e4dcc434b330a79d360f5869f49fcf3edba03e3002df4922490265216351efe15c267cc835ea50a0a64ae96dfb54b3a93eb343b43d3f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-10469.exe

Filesize
468KB

MD5
a0b7b120d18acd472363ce9054fc34d1

SHA1
28d8cb4b66ce662a6ca6dceddb6fbf6b890fef0d

SHA256
b4f6dd519dcc427bc83743badd0a90ea0903e8ff3cdae20ed50fd5dd5eaf4cef

SHA512
7c85d42b916a24c1207a300aa8337c2620b6620d5eafab058fddb71ac53340945d7f3d9fb2f0b97e5a1dfe2c403034a6fe67a27d6933fdadcd5a562bdc488dae

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-12262.exe

Filesize
468KB

MD5
fb39d5b77166742d47af6486b1980b1d

SHA1
a0eef0332fcd51635514932bbc4dea0e7c0c56c4

SHA256
fc7c94e1c667a5124fc82520e72e74caafd663390fbcf8c471b1d03fbfdfa664

SHA512
8477e2b639bcf46cd30fb1e9190eb70892ae3386afc1a190781642ba6e348764b0335bf4aa6e68c18985edd820d5d653b44f8b0763c192f6dd4511e16be1fe71

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-16481.exe

Filesize
468KB

MD5
fa6bcd8ac9f32ace230c41f857186616

SHA1
9205df9c7fd495fbb76c7ad4509677b426941c8e

SHA256
645883089b64b0fb1b6b5b7aae4187a5bb80194dd4e33d236fe6f88c24c422af

SHA512
246f0dc1372266ceddab2b829de6c1b779470997860d1d4e2865e043ecc11f7eb2c241a9dbcbf1b00eb9aeb9d18692c770d7eedf2bdccf5b403639c293106b16

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-30335.exe

Filesize
468KB

MD5
3c7ad057996a6677433f453f27b619f5

SHA1
8cfef997c5a61686a0606941fd755a9047d6d07e

SHA256
91481cac17b4fa732276e70e90fb7375c3ecc59d70fe090394cbf49f84b52875

SHA512
e78581cac3b58a99db9f9f9b4ed74740fd250fb6bfdb1569767b25916950697ca17e5520aa484d8c9083abde2195198b37b528f455fbe8132da36df2ac66392a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-38022.exe

Filesize
468KB

MD5
51f55b90e74c414efc30eb9e30ac907f

SHA1
76288663cea119dbe7b5c4e54aa5d791160bb968

SHA256
1fb15ec7e6b522c7d97737693f5da576e2a87ca12082d570c8646f0c7c585cd5

SHA512
b2aed1054f534ebbd20cae417451bb0f2323a2379eb7de1d39d722597d381133ae97d597e346dd5dfd7912f37d97c9509a71b441c51f69082582ffee598ed4a7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-39836.exe

Filesize
468KB

MD5
333e70cf9469fc2d27802430cf9c7ecb

SHA1
a880c3c6653fb2174c27f678534adefac0f5c25b

SHA256
bf34e923e965245140dff88a8902a00a578187d619ca8e22d49a6d42490bf004

SHA512
5df5352eec258f1bc00815b0bef891cfeafb74cd757d134f3d67149185ce274a97890514367a2cde661af4248907a3769f15f10cdf5cafd1edb314469c859686

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42868.exe

Filesize
468KB

MD5
277a56970b7b4480051afd3d882c6627

SHA1
e82f2f600f49ad11e97ed178d6a7f7d928c57129

SHA256
2388654134b17382e2d76921c264d7933811885454236122d364acb00e9ac578

SHA512
d444f53443885b3787ac0cd9350789e2321129e3cb2476c87d847d6a9a0311a14d90d669ab90a0cbd3f59d0bf09046c71eced363d4a0c918a6e1438ffcb4fb8a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-52268.exe

Filesize
468KB

MD5
6ea49e322f6456c55a1ed3a98a8422f5

SHA1
5d517876c15d1fd68087d4c276472bc4b7be1594

SHA256
02f03d4f35360937721bcc10c5f94370ed4a10deaba39b930547c4f20f5f1977

SHA512
a09892affacec2d0e69c9fc6a45d333861a6e54ba328644b9ceefccab555598f948303672ec343724b510a76d618def1a2b8a05d30159d1c2b07bb40cac0d760

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57934.exe

Filesize
468KB

MD5
25fefdde9c8a12d53ca86e3e28ee4f68

SHA1
dbd79646eaf6b8c4079e41c8d1edafd73f1c9011

SHA256
48d1743cf98d98ed8e104064d36c3fe4f7a1d8b23f67c6049328430e3c778ddf

SHA512
786eda15428e3f448655d97bfcd78c349aab13a9b26c186b1ddd018e758baf1b6987d7ce8c27aed27cdb902d886344c6a5e5bb9285e3701fa0f85fb345fc8207

Download Submit