fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
Size

184KB
MD5

091916fac61f59e6ca6caabae91dbc20
SHA1

afaf1e9a08bc2e1c9b8194e856d29e119e00a054
SHA256

fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3
SHA512

90c725a5a62647326ef41317293550facb6b803beff29e55fc961ee0fee24a3e8c3b9982cf83e8f618416be7a10acf66b32706080eed9ea54ddb57eee142e5b7
SSDEEP

3072:SVa/kvoEei8/wrYmep1Gr6PLIdlR6uTfJGEkx59tUKBblnkOFfnv:SVto94rYhGuPLI1cZHblnkOFf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1372	Unicorn-43420.exe
2924	Unicorn-11754.exe
2204	Unicorn-57426.exe
2820	Unicorn-3368.exe
2680	Unicorn-3368.exe
2848	Unicorn-36787.exe
2676	Unicorn-37468.exe
2068	Unicorn-13326.exe
1212	Unicorn-29108.exe
1792	Unicorn-54359.exe
1628	Unicorn-8687.exe
2280	Unicorn-59087.exe
2876	Unicorn-47390.exe
1892	Unicorn-10270.exe
1996	Unicorn-43497.exe
668	Unicorn-59279.exe
2956	Unicorn-1910.exe
1156	Unicorn-35329.exe
380	Unicorn-39902.exe
1248	Unicorn-7976.exe
1724	Unicorn-27842.exe
772	Unicorn-53093.exe
1744	Unicorn-36010.exe
1420	Unicorn-62221.exe
304	Unicorn-11396.exe
572	Unicorn-12465.exe
752	Unicorn-24203.exe
896	Unicorn-44069.exe
2976	Unicorn-19565.exe
1520	Unicorn-960.exe
2244	Unicorn-60872.exe
2684	Unicorn-65511.exe
3048	Unicorn-23924.exe
2832	Unicorn-37292.exe
2632	Unicorn-37846.exe
2208	Unicorn-8703.exe
2764	Unicorn-57904.exe
2376	Unicorn-49160.exe
1676	Unicorn-37462.exe
1832	Unicorn-65496.exe
1736	Unicorn-898.exe
1256	Unicorn-20764.exe
2904	Unicorn-57520.exe
2360	Unicorn-53436.exe
2080	Unicorn-37654.exe
1268	Unicorn-1858.exe
2020	Unicorn-50867.exe
908	Unicorn-17147.exe
1708	Unicorn-21785.exe
1448	Unicorn-14577.exe
1956	Unicorn-42611.exe
2300	Unicorn-59139.exe
2324	Unicorn-31105.exe
2252	Unicorn-38697.exe
2712	Unicorn-46311.exe
2368	Unicorn-64546.exe
2572	Unicorn-27235.exe
3012	Unicorn-6814.exe
2444	Unicorn-19067.exe
2372	Unicorn-30250.exe
2544	Unicorn-54925.exe
2860	Unicorn-26144.exe
2732	Unicorn-59201.exe
2916	Unicorn-58646.exe

Loads dropped DLL 64 IoCs

pid	Process
2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
1372	Unicorn-43420.exe
1372	Unicorn-43420.exe
2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
2204	Unicorn-57426.exe
2924	Unicorn-11754.exe
2924	Unicorn-11754.exe
2204	Unicorn-57426.exe
1372	Unicorn-43420.exe
1372	Unicorn-43420.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
2820	Unicorn-3368.exe
2820	Unicorn-3368.exe
2924	Unicorn-11754.exe
2680	Unicorn-3368.exe
2924	Unicorn-11754.exe
2680	Unicorn-3368.exe
2848	Unicorn-36787.exe
2204	Unicorn-57426.exe
2848	Unicorn-36787.exe
2204	Unicorn-57426.exe
1916	WerFault.exe
1964	WerFault.exe
1916	WerFault.exe
1964	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1916	WerFault.exe
1964	WerFault.exe
2676	Unicorn-37468.exe
2676	Unicorn-37468.exe
2820	Unicorn-3368.exe
2820	Unicorn-3368.exe
2068	Unicorn-13326.exe
2068	Unicorn-13326.exe
2680	Unicorn-3368.exe
2680	Unicorn-3368.exe
1792	Unicorn-54359.exe
1792	Unicorn-54359.exe
1628	Unicorn-8687.exe
1628	Unicorn-8687.exe
2848	Unicorn-36787.exe
2848	Unicorn-36787.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2808	2380	WerFault.exe	30
1912	1372	WerFault.exe	31
1964	2924	WerFault.exe	32
1916	2204	WerFault.exe	33
1796	2820	WerFault.exe	36
2532	2680	WerFault.exe	35
1840	2848	WerFault.exe	37
2516	2676	WerFault.exe	39
1572	1212	WerFault.exe	41
2172	2068	WerFault.exe	40
2436	1792	WerFault.exe	43
2564	1628	WerFault.exe	42
1944	2280	WerFault.exe	46
1296	2876	WerFault.exe	47
108	1892	WerFault.exe	48
1680	1996	WerFault.exe	49
2256	668	WerFault.exe	50
644	2956	WerFault.exe	51
2420	1156	WerFault.exe	52
1052	1832	WerFault.exe	82
2092	772	WerFault.exe	59
1436	1248	WerFault.exe	57
1988	1724	WerFault.exe	58
2032	380	WerFault.exe	56
1472	752	WerFault.exe	64
2752	2976	WerFault.exe	66
1844	1420	WerFault.exe	61
1780	1520	WerFault.exe	67
1244	304	WerFault.exe	62
584	896	WerFault.exe	65
448	572	WerFault.exe	63
1016	1448	WerFault.exe	96
2660	2080	WerFault.exe	87
3080	1268	WerFault.exe	88
3116	2324	WerFault.exe	102
3168	1744	WerFault.exe	60
3176	2376	WerFault.exe	80
3236	2244	WerFault.exe	69
3244	908	WerFault.exe	92
3252	2632	WerFault.exe	77
3308	3048	WerFault.exe	75
3320	912	WerFault.exe	117
3344	2020	WerFault.exe	89
3480	2300	WerFault.exe	101
3548	2252	WerFault.exe	103
3612	2124	WerFault.exe	116
3632	2832	WerFault.exe	76
3648	1256	WerFault.exe	84
3664	2684	WerFault.exe	73
3860	2372	WerFault.exe	109
3976	1708	WerFault.exe	94
4044	1676	WerFault.exe	81
4064	2712	WerFault.exe	104
4072	2444	WerFault.exe	108
3132	2208	WerFault.exe	78
3492	2572	WerFault.exe	106
3592	2904	WerFault.exe	85
3640	2368	WerFault.exe	105
3984	2552	WerFault.exe	128
4000	2860	WerFault.exe	111
3144	2544	WerFault.exe	110
3184	3016	WerFault.exe	118
3192	1736	WerFault.exe	83
340	2764	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53436.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20711.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37073.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14863.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19067.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54338.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11754.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14970.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55190.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7686.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10270.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46311.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6835.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11427.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-898.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19041.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3741.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23980.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47536.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11043.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1384.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56077.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59279.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59087.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
1372	Unicorn-43420.exe
2924	Unicorn-11754.exe
2204	Unicorn-57426.exe
2820	Unicorn-3368.exe
2680	Unicorn-3368.exe
2848	Unicorn-36787.exe
2676	Unicorn-37468.exe
2068	Unicorn-13326.exe
1212	Unicorn-29108.exe
1792	Unicorn-54359.exe
1628	Unicorn-8687.exe
2280	Unicorn-59087.exe
2876	Unicorn-47390.exe
1892	Unicorn-10270.exe
1996	Unicorn-43497.exe
668	Unicorn-59279.exe
2956	Unicorn-1910.exe
1156	Unicorn-35329.exe
380	Unicorn-39902.exe
1724	Unicorn-27842.exe
1248	Unicorn-7976.exe
772	Unicorn-53093.exe
1744	Unicorn-36010.exe
1420	Unicorn-62221.exe
304	Unicorn-11396.exe
752	Unicorn-24203.exe
2976	Unicorn-19565.exe
572	Unicorn-12465.exe
896	Unicorn-44069.exe
1520	Unicorn-960.exe
2244	Unicorn-60872.exe
2684	Unicorn-65511.exe
3048	Unicorn-23924.exe
2832	Unicorn-37292.exe
2632	Unicorn-37846.exe
2208	Unicorn-8703.exe
2764	Unicorn-57904.exe
2376	Unicorn-49160.exe
1676	Unicorn-37462.exe
1832	Unicorn-65496.exe
2360	Unicorn-53436.exe
1256	Unicorn-20764.exe
1736	Unicorn-898.exe
2904	Unicorn-57520.exe
2080	Unicorn-37654.exe
1268	Unicorn-1858.exe
2020	Unicorn-50867.exe
908	Unicorn-17147.exe
1708	Unicorn-21785.exe
1448	Unicorn-14577.exe
1956	Unicorn-42611.exe
2300	Unicorn-59139.exe
2324	Unicorn-31105.exe
2252	Unicorn-38697.exe
2712	Unicorn-46311.exe
2368	Unicorn-64546.exe
2572	Unicorn-27235.exe
3012	Unicorn-6814.exe
2444	Unicorn-19067.exe
2372	Unicorn-30250.exe
2544	Unicorn-54925.exe
2860	Unicorn-26144.exe
2732	Unicorn-59201.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1372	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	31
PID 2380 wrote to memory of 1372	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	31
PID 2380 wrote to memory of 1372	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	31
PID 2380 wrote to memory of 1372	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	31
PID 1372 wrote to memory of 2924	1372	Unicorn-43420.exe	32
PID 1372 wrote to memory of 2924	1372	Unicorn-43420.exe	32
PID 1372 wrote to memory of 2924	1372	Unicorn-43420.exe	32
PID 1372 wrote to memory of 2924	1372	Unicorn-43420.exe	32
PID 2380 wrote to memory of 2204	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	33
PID 2380 wrote to memory of 2204	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	33
PID 2380 wrote to memory of 2204	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	33
PID 2380 wrote to memory of 2204	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	33
PID 2380 wrote to memory of 2808	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	34
PID 2380 wrote to memory of 2808	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	34
PID 2380 wrote to memory of 2808	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	34
PID 2380 wrote to memory of 2808	2380	fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe	34
PID 2924 wrote to memory of 2820	2924	Unicorn-11754.exe	36
PID 2924 wrote to memory of 2820	2924	Unicorn-11754.exe	36
PID 2924 wrote to memory of 2820	2924	Unicorn-11754.exe	36
PID 2924 wrote to memory of 2820	2924	Unicorn-11754.exe	36
PID 2204 wrote to memory of 2680	2204	Unicorn-57426.exe	35
PID 2204 wrote to memory of 2680	2204	Unicorn-57426.exe	35
PID 2204 wrote to memory of 2680	2204	Unicorn-57426.exe	35
PID 2204 wrote to memory of 2680	2204	Unicorn-57426.exe	35
PID 1372 wrote to memory of 2848	1372	Unicorn-43420.exe	37
PID 1372 wrote to memory of 2848	1372	Unicorn-43420.exe	37
PID 1372 wrote to memory of 2848	1372	Unicorn-43420.exe	37
PID 1372 wrote to memory of 2848	1372	Unicorn-43420.exe	37
PID 1372 wrote to memory of 1912	1372	Unicorn-43420.exe	38
PID 1372 wrote to memory of 1912	1372	Unicorn-43420.exe	38
PID 1372 wrote to memory of 1912	1372	Unicorn-43420.exe	38
PID 1372 wrote to memory of 1912	1372	Unicorn-43420.exe	38
PID 2820 wrote to memory of 2676	2820	Unicorn-3368.exe	39
PID 2820 wrote to memory of 2676	2820	Unicorn-3368.exe	39
PID 2820 wrote to memory of 2676	2820	Unicorn-3368.exe	39
PID 2820 wrote to memory of 2676	2820	Unicorn-3368.exe	39
PID 2924 wrote to memory of 2068	2924	Unicorn-11754.exe	40
PID 2924 wrote to memory of 2068	2924	Unicorn-11754.exe	40
PID 2924 wrote to memory of 2068	2924	Unicorn-11754.exe	40
PID 2924 wrote to memory of 2068	2924	Unicorn-11754.exe	40
PID 2680 wrote to memory of 1212	2680	Unicorn-3368.exe	41
PID 2680 wrote to memory of 1212	2680	Unicorn-3368.exe	41
PID 2680 wrote to memory of 1212	2680	Unicorn-3368.exe	41
PID 2680 wrote to memory of 1212	2680	Unicorn-3368.exe	41
PID 2848 wrote to memory of 1628	2848	Unicorn-36787.exe	42
PID 2848 wrote to memory of 1628	2848	Unicorn-36787.exe	42
PID 2848 wrote to memory of 1628	2848	Unicorn-36787.exe	42
PID 2848 wrote to memory of 1628	2848	Unicorn-36787.exe	42
PID 2204 wrote to memory of 1792	2204	Unicorn-57426.exe	43
PID 2204 wrote to memory of 1792	2204	Unicorn-57426.exe	43
PID 2204 wrote to memory of 1792	2204	Unicorn-57426.exe	43
PID 2204 wrote to memory of 1792	2204	Unicorn-57426.exe	43
PID 2924 wrote to memory of 1964	2924	Unicorn-11754.exe	45
PID 2924 wrote to memory of 1964	2924	Unicorn-11754.exe	45
PID 2924 wrote to memory of 1964	2924	Unicorn-11754.exe	45
PID 2924 wrote to memory of 1964	2924	Unicorn-11754.exe	45
PID 2204 wrote to memory of 1916	2204	Unicorn-57426.exe	44
PID 2204 wrote to memory of 1916	2204	Unicorn-57426.exe	44
PID 2204 wrote to memory of 1916	2204	Unicorn-57426.exe	44
PID 2204 wrote to memory of 1916	2204	Unicorn-57426.exe	44
PID 2676 wrote to memory of 2280	2676	Unicorn-37468.exe	46
PID 2676 wrote to memory of 2280	2676	Unicorn-37468.exe	46
PID 2676 wrote to memory of 2280	2676	Unicorn-37468.exe	46
PID 2676 wrote to memory of 2280	2676	Unicorn-37468.exe	46

C:\Users\Admin\AppData\Local\Temp\fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe
"C:\Users\Admin\AppData\Local\Temp\fa40242036b89972e435879eaa983b8a28c2d4142f11928d95deed89227404f3N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\Unicorn-43420.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-43420.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11754.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11754.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3368.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3368.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37468.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37468.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59087.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59087.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39902.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39902.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60872.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60872.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17147.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17147.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26550.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26550.exe
        10⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26265.exe
        11⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6171.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6171.exe
        12⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        13⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 216
        13⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 216
        12⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 216
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 236
        10⤵
        Program crash
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23980.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2637.exe
        10⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63540.exe
        11⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42542.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42542.exe
        12⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 236
        12⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 236
        11⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 216
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 240
        9⤵
        Program crash
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21785.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21785.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40001.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40001.exe
        9⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14863.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14863.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40166.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40166.exe
        11⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        12⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 236
        12⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 216
        11⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 216
        10⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 236
        9⤵
        Program crash
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 240
        8⤵
        Program crash
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65511.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65511.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42611.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42611.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50945.exe
        9⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2912.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2912.exe
        10⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18725.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18725.exe
        11⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44540.exe
        12⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 236
        12⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 236
        11⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 216
        10⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11427.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11427.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 240
        9⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 240
        8⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 240
        7⤵
        Program crash
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7976.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7976.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14577.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14577.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15449.exe
        8⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28107.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28107.exe
        9⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41755.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41755.exe
        10⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28106.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28106.exe
        12⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 236
        11⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 216
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 216
        9⤵
        Program crash
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 236
        8⤵
        Program crash
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 216
        7⤵
        Program crash
        
        PID:1436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 240
        6⤵
        Program crash
        
        PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47390.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47390.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27842.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27842.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37292.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37292.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59139.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59139.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19041.exe
        9⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30733.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30733.exe
        10⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7022.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7022.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40508.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40508.exe
        12⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 216
        12⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 236
        11⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 216
        10⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 216
        9⤵
        Program crash
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11043.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11043.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18180.exe
        9⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31636.exe
        10⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28810.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28810.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 216
        11⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 216
        10⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 236
        9⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 240
        8⤵
        Program crash
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31105.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31105.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47738.exe
        8⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13005.exe
        9⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30017.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30017.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45993.exe
        11⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 216
        11⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 216
        10⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 216
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 236
        8⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 240
        7⤵
        Program crash
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37846.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37846.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26995.exe
        7⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55922.exe
        8⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38076.exe
        9⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26123.exe
        10⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 236
        10⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 236
        9⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 236
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 216
        7⤵
        Program crash
        
        PID:3252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 240
        6⤵
        Program crash
        
        PID:1296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13326.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-13326.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10270.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36010.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36010.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65496.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65496.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 240
        8⤵
        Program crash
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64053.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64053.exe
        7⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25834.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25834.exe
        8⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39145.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39145.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38759.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38759.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 236
        10⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 236
        9⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 236
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 240
        7⤵
        Program crash
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-898.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-898.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51246.exe
        7⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        8⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61791.exe
        9⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1384.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54338.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54338.exe
        11⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 216
        10⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 216
        9⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 216
        8⤵
        Program crash
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        7⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8506.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8506.exe
        8⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        9⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52527.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52527.exe
        10⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 236
        9⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 216
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 240
        7⤵
        Program crash
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 240
        6⤵
        Program crash
        
        PID:108
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62221.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62221.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49160.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49160.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        7⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55190.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55190.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14064.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14064.exe
        9⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7124.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7124.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 216
        10⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 236
        9⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 236
        8⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 216
        7⤵
        Program crash
        
        PID:3176
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2792.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2792.exe
        6⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7520.exe
        7⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6721.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6721.exe
        8⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21465.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21465.exe
        9⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14970.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14970.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 216
        10⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 216
        9⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 216
        8⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 236
        7⤵
        Program crash
        
        PID:3320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 240
        6⤵
        Program crash
        
        PID:1844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 220
        5⤵
        Program crash
        
        PID:2172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-36787.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-36787.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8687.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8687.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1910.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44069.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20764.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20764.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30250.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30250.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39077.exe
        9⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23416.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23416.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35227.exe
        11⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59693.exe
        12⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 216
        12⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 216
        11⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 236
        9⤵
        Program crash
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31847.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31847.exe
        8⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24053.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24053.exe
        9⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        10⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24598.exe
        11⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 216
        10⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 216
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 240
        8⤵
        Program crash
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59201.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34172.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34172.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 220
        9⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 236
        8⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 240
        7⤵
        Program crash
        
        PID:584
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37654.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19067.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27017.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27017.exe
        8⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63872.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63872.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59308.exe
        10⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64862.exe
        11⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 236
        10⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 216
        9⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 236
        8⤵
        Program crash
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3991.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3991.exe
        7⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61547.exe
        8⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41226.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41226.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12453.exe
        10⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 216
        10⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 216
        9⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 236
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 240
        7⤵
        Program crash
        
        PID:2660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 240
        6⤵
        Program crash
        
        PID:644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-960.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-960.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8703.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8703.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46311.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11796.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11796.exe
        8⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37073.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39616.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39616.exe
        11⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 236
        10⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 216
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 236
        8⤵
        Program crash
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44640.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44640.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47536.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47536.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64451.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64451.exe
        9⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 240
        10⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 216
        9⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 216
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 240
        7⤵
        Program crash
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64546.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49513.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49513.exe
        7⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3654.exe
        8⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        9⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54338.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54338.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 236
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 236
        7⤵
        Program crash
        
        PID:3640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 240
        6⤵
        Program crash
        
        PID:1780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 240
        5⤵
        Program crash
        
        PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35329.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35329.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19565.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19565.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 240
        6⤵
        Program crash
        
        PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37462.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20711.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20711.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59788.exe
        7⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44607.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3549.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3549.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 216
        9⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 216
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 216
        7⤵
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 236
        6⤵
        Program crash
        
        PID:4044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 240
        5⤵
        Program crash
        
        PID:2420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1912
- C:\Users\Admin\AppData\Local\Temp\Unicorn-57426.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-57426.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-3368.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-3368.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29108.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29108.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53093.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53093.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23924.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23924.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24172.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24172.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29965.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29965.exe
        8⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31982.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31982.exe
        10⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 216
        10⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 236
        9⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 236
        8⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 236
        7⤵
        Program crash
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38697.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19041.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10120.exe
        8⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34293.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34293.exe
        9⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65344.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65344.exe
        10⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 216
        10⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 216
        9⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 236
        8⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 236
        7⤵
        Program crash
        
        PID:3548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 240
        6⤵
        Program crash
        
        PID:2092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 236
        5⤵
        Program crash
        
        PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43497.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43497.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11396.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57520.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27235.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6835.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6835.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35943.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35943.exe
        9⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16019.exe
        10⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3741.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 236
        11⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 216
        10⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 216
        9⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 216
        8⤵
        Program crash
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        7⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16483.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16483.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10575.exe
        10⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 216
        10⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 236
        9⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 216
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 240
        7⤵
        Program crash
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54925.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54925.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        7⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9383.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9383.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60362.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60362.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 216
        9⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 216
        8⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 236
        7⤵
        Program crash
        
        PID:3144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 240
        6⤵
        Program crash
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1858.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1858.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        6⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29342.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29342.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14064.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14064.exe
        8⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24613.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24613.exe
        9⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 236
        9⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 216
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 236
        7⤵
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 236
        6⤵
        Program crash
        
        PID:3080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 240
        5⤵
        Program crash
        
        PID:1680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54359.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54359.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59279.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59279.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12465.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12465.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53436.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53436.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6814.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15855.exe
        8⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-385.exe
        9⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9552.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23129.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23129.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 216
        11⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 216
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 236
        9⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 216
        8⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61526.exe
        7⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33011.exe
        8⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42993.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8570.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8570.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 236
        9⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 216
        8⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26144.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26144.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7686.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7686.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16675.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16675.exe
        8⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11498.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11498.exe
        9⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 216
        9⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 216
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 236
        7⤵
        Program crash
        
        PID:4000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 240
        6⤵
        Program crash
        
        PID:448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50867.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50867.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6513.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6513.exe
        6⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43177.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43177.exe
        7⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14915.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50949.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50949.exe
        9⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 236
        9⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 216
        8⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 216
        7⤵
        
        PID:4588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 216
        6⤵
        Program crash
        
        PID:3344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 240
        5⤵
        Program crash
        
        PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24203.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24203.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57904.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58646.exe
        6⤵
        Executes dropped EXE
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9724.exe
        6⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19882.exe
        7⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1384.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1384.exe
        8⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37343.exe
        9⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 216
        8⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 216
        7⤵
        
        PID:5032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 240
        6⤵
        Program crash
        
        PID:340
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56077.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7712.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7712.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24053.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24053.exe
        7⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13636.exe
        8⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48718.exe
        9⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 236
        8⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 216
        7⤵
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 236
        6⤵
        Program crash
        
        PID:3612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 220
        5⤵
        Program crash
        
        PID:1472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 240
      4⤵
      Program crash
      PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 240
  2⤵
  - Program crash
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10270.exe

Filesize
184KB

MD5
9d36e03cbf89cc23620021a73669b4c9

SHA1
7abbf1a16515f00ab5b98a0626a1719da89a4680

SHA256
1caf72aca45b09f30074933e63e6f55474dbcbbdac6f1da4b174e1f2cd2c5c94

SHA512
8d8639a84bf5c53aef41655ac3d343cc9d8344e80c2e7e4fe061c6cf89c19927a5873555032a406203ffc0d91fbcf8a9349160b91c83c1d5569e267446ea1b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-3368.exe

Filesize
184KB

MD5
381d3d29949450f828ad6c94972adc86

SHA1
b12852240847d83599f8e860bdbab0dae4c7f5b4

SHA256
5cbe061f0fc2496dc25a0718afc374b5f49eaddc5bb3d58de9f66af79097436c

SHA512
aee5af383386fdee4020a58678d3a31dc595739b3fa9bdad2ac63a5fa61670dbc85f66f49474d5b3d2510ed069e7cf13bef048d1d42a157b4d440faa2821b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-40166.exe

Filesize
184KB

MD5
3aae6ef8ac4c2a95b0f56a9603815040

SHA1
6a3422690f1e659edff5148bdec4074dbfeff8f4

SHA256
b3b0bce39d01bb9a9132eb1f99fe8e950d626a6886029ed8f14570fe4557c51d

SHA512
cd293d7c85da62d5f3f2838f61a3e9187eef53ee461807d9e33cc960cd41a7a98ef03bab8cc46b6c70fda05730f2c1118948775cdb7aaef56e6ccfa96f348894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-54359.exe

Filesize
184KB

MD5
ab0a94b73bdb7e3955c21b73632fcadb

SHA1
4ece372bfef4acba97815dfeb60c13a003c19a8e

SHA256
190a5b9aea5fee4bea92d998be2a4075889481d06b1509330c75dd3e414d144b

SHA512
c524c620f044c3971166ff361d00ae9ac6ab773f525633aa3e2f8430690281ca1f0aadfa03b9f2ecb4dc357edb367e035672d83ba2af4d64ec3c189abff7a46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6513.exe

Filesize
184KB

MD5
ad97179fab286557563a1f37363b1ca0

SHA1
23d49196d20448ad68580eaf2f83f87b612c4e7f

SHA256
bd51317c866437eb39d1f41300e0a6e32fde0511d7d99a739c665a7e6bf61ecd

SHA512
6d170d7f48a599bae3c3fb8ed404d360d59b62ffde81edfb7d2a5722497528e6f29d33ad3806dfa794f083365fd80531153ab32c3f266a434b073d5a85282d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6721.exe

Filesize
184KB

MD5
e09300fa0f9287f8125187833412596d

SHA1
1a0472513bb773bd06078c148cf9cc0f172e7328

SHA256
da3cac775928c357fbdd72ebd79dda40a3f0b4d3a8befe2e47995c31909aaedd

SHA512
55681734cf5622ac9f9a471f4ca64107e6419c325dfac87c3674779e0eff638eb4e8278ece466dd94bef5812edbe251b53eb433c2d077d34711e4372ef7cb340

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6814.exe

Filesize
184KB

MD5
7cb0fce35a1392d8b46eda5779f24951

SHA1
1965cc1947ea8d43f29d9aed88e1b7cb4f95dd56

SHA256
e176613dd244a4026ab400d391ffa6e71c63d48eb6792bb6425922c709b66a87

SHA512
2af8560d0a07a1be893c5e32117cfe067e0beaf3d004317a38d688e78d2b5b60ac31389a8dd1e538831d9930309b5cb20564503ed342b94e9e0031854f96ff44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6835.exe

Filesize
184KB

MD5
5772755f8d537d778a4c787c230af004

SHA1
2fbc265c06ee1acd9e9cdd49a910cacac9d613f4

SHA256
6db3b65fedb9e808cf4c6056c7e8bc83bb994401f53b1ff8d364fa10510a2ead

SHA512
a76cd982a901ef91fd1bde8ce0de7c578902e0b93913e09f0073953110a6e5e3639f255260c8dc843d3be55c6fcb0dace15a4b3c241de82e574a3c6aa062acd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-8687.exe

Filesize
184KB

MD5
720d568c6236f2b9bd8e8145572dd4fd

SHA1
00df6a12786c419f81f7b09f83da6391508010bc

SHA256
ad09877875695c197a779c059bae221887478a0a33f2b6f203bd16a98ff3339f

SHA512
6bd9a585bdd83ff2fb6a55a12729343749189cac260556a1e5083570dabfcc0d6aee7518e29008b0df926e8278c14b9427913a96147f7765f4e55b6cb89e0071

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11754.exe

Filesize
184KB

MD5
f3e4aeff76aabc2304e4d24c7a5776af

SHA1
f6a63c853f64bdd18791eba0f1a24b53e5d115ec

SHA256
bf62e255cd36b5a9db1ffeb8de47d19d92d9d3a4a99f9402315ea1066805d434

SHA512
2659d98d411e026489c1b6924d325006408c1fb7de294c36eca4f911f595093a87894b8cee69969d2cdcc29dcf272592507848d1b6b9a62226cc220141deb9bd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-13326.exe

Filesize
184KB

MD5
39efbd36b8a3b69b0dedbefe5d08f901

SHA1
03216b08a80b0b199a0846c01c0348164efc6b1c

SHA256
f3f226b91140d4cf8207a31a756ea943a89b0b880e2e5ae21373657707dddc85

SHA512
2ab9bb2af2f7974efc33fd94fef1c6fdf483e6ec8a9aaeaaaddcbbe9851155e690de9bf6cd08cab28d744049fa649ddf1c6d50d08cde762254311b3ae82a2e1a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29108.exe

Filesize
184KB

MD5
a3c7d39f9ea698ec40bdd9e25dfe4e6f

SHA1
0f87fc54948f38a6c4921e7b57b4f1a8189ef0f4

SHA256
33690154fb80cd692f837693aef2f8ce2fd61a235dfc32bdd317bedb5ac3377d

SHA512
5d423843e464405bdfd33a69c56bff278ec90dfbaa46ac268f3b1dff400444d525e516b780efe278f0142fc7201709394d32c1bad2e4fee88a7bd6d35259c91c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-36787.exe

Filesize
184KB

MD5
bf6905a792b1e6a29c72f6e4f3d22167

SHA1
0290d3fc68dd71de2848508e3e89fc4dbc10d674

SHA256
61654e620f722ffcf29c210ad2eba39300183748d6a049ce9877f9489b70159d

SHA512
7c00f5aed3275dea89f33726f4cb8f5bf91c2e203c4fccec834dcdec2e29cec22eb8b3b705b1b93ffbb193611d5ea2293df84075bba33c6e907f5b295a2170ee

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-37468.exe

Filesize
184KB

MD5
9eb5fa414b03f86bf2b4472658770343

SHA1
e1ee40c9270605d8194d35b7b35507548b61e747

SHA256
04f4914f598f12995a126375e4512c04eb80bc7298fd1a0d0e886015055d91bd

SHA512
9b9f217fe5afbc280f93125fd1fb77b4a8d5813a42911fe1b06d9583f7d465f0f4aa9b35f71f392c787875d237a710a92ef385b2976b270aa97d03fa092800e5

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-43420.exe

Filesize
184KB

MD5
e04e665116224744a8b7323a487d0cf8

SHA1
36c4914032422b723e77b056ec4a98efe2420c4c

SHA256
957c147020f6ebe5931e98ba3c6118e5e1f8f00145dbc8c8749b40fbfd77ee26

SHA512
4d946e1d43b1a9d430a6161856a869bf915f51472b870c008973723709662a2762764a3eed97a4f80343dd5ff03e62d0e8b8a5bc4badf9c44ea19a55891036cb

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-47390.exe

Filesize
184KB

MD5
85397249ab95e24c938be6e8f91fd00e

SHA1
2f7a5dbf7224324248b0b3eff316401071c9f8b4

SHA256
dc5e8104c9a54011f9564cedb3066fab5d7724855f552705321eeaabfe0ce593

SHA512
1a21e5d4741cc70d93953593d0eb5e551813b79f0380fa0ba6fc8e180199a5886fb24366cb767bd620cdc9e95912c8518e2c15092cf416767f6d055c9f887aaa

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57426.exe

Filesize
184KB

MD5
20f2baa822d1b1eb29399b833d3b2d31

SHA1
24e3f596e07c2506bd43a0d164f959d43b987ac8

SHA256
2ff6ec86b75e9763452d0e96a8510d604f71b29847f12c626780ba6999288ea1

SHA512
2f1d73479ddd3058ea70862627a6d3109647546654f5dccee0041bfdef735e8e7a547e9f74e6e99c3861ccb15d2b2db32f2dcdb17e007f5509f66ffb2c787ca7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-59087.exe

Filesize
184KB

MD5
eefcb0461cbe887d7dfc7a7891b461ad

SHA1
62150fb07959f550ec27f3f09697a984161618fb

SHA256
b5a04e21159e1474274dd5baa0f4dcaa1fac3096816f9d2625405bcf485ee541

SHA512
264e8ed524fb65b529c355b54b19c0720863a91459ad9fa1991003037119704c9ef6ff1db429c7e3bc7eccb7122e15365e7d9fac99cf1d5af11a0ecc4060a9e7

Download Submit