58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7

Analysis

max time kernel
120s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
Size

468KB
MD5

99f8aefe4f1ec4febac458083cdd4120
SHA1

3ea1b7e62dd4572fcf7a9985e90677667d24e5d6
SHA256

58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7
SHA512

f0722c4e99772342046fd0bae47df548f609114c4024b3952cb00850a90ad854803d5f557da24eb364ab315df36ab22b73073656144c90b56ae233b80e82d796
SSDEEP

3072:BqobogCdj08U2bYBPz59ff8/5CK3IXpInmHewVpfck03uk6eGzlV:BqIoh5U2iP19ffP5SCck6L6eG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2216	Unicorn-64805.exe
2716	Unicorn-13157.exe
2632	Unicorn-49551.exe
2772	Unicorn-25421.exe
2788	Unicorn-59883.exe
2696	Unicorn-30548.exe
2488	Unicorn-5649.exe
2916	Unicorn-5265.exe
2384	Unicorn-50937.exe
520	Unicorn-53433.exe
2852	Unicorn-21602.exe
2016	Unicorn-58457.exe
2348	Unicorn-41471.exe
972	Unicorn-8223.exe
824	Unicorn-44617.exe
1712	Unicorn-47440.exe
1344	Unicorn-3065.exe
1680	Unicorn-15811.exe
2704	Unicorn-35545.exe
1608	Unicorn-48644.exe
1136	Unicorn-33197.exe
2480	Unicorn-54983.exe
1644	Unicorn-8496.exe
2116	Unicorn-41553.exe
2952	Unicorn-42382.exe
1108	Unicorn-42382.exe
2720	Unicorn-48735.exe
2552	Unicorn-3063.exe
2908	Unicorn-3063.exe
2556	Unicorn-1610.exe
2540	Unicorn-53115.exe
2868	Unicorn-41138.exe
2884	Unicorn-4744.exe
540	Unicorn-21163.exe
2856	Unicorn-41029.exe
2752	Unicorn-30853.exe
3024	Unicorn-29570.exe
2624	Unicorn-1470.exe
1428	Unicorn-32149.exe
2004	Unicorn-51631.exe
552	Unicorn-28409.exe
896	Unicorn-44745.exe
1612	Unicorn-11164.exe
3068	Unicorn-14262.exe
2080	Unicorn-13037.exe
2068	Unicorn-49239.exe
2936	Unicorn-19197.exe
3048	Unicorn-11600.exe
2820	Unicorn-43505.exe
2184	Unicorn-59841.exe
2572	Unicorn-64008.exe
1932	Unicorn-54875.exe
1772	Unicorn-57506.exe
756	Unicorn-10500.exe
3000	Unicorn-50275.exe
2440	Unicorn-50275.exe
2260	Unicorn-50275.exe
1568	Unicorn-50275.exe
2780	Unicorn-50275.exe
1220	Unicorn-30409.exe
928	Unicorn-50275.exe
2144	Unicorn-50275.exe
2692	Unicorn-2994.exe
1316	Unicorn-18423.exe

Loads dropped DLL 64 IoCs

pid	Process
468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
2216	Unicorn-64805.exe
2216	Unicorn-64805.exe
468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
2716	Unicorn-13157.exe
2716	Unicorn-13157.exe
2216	Unicorn-64805.exe
2632	Unicorn-49551.exe
2632	Unicorn-49551.exe
2216	Unicorn-64805.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2772	Unicorn-25421.exe
2772	Unicorn-25421.exe
2696	Unicorn-30548.exe
2716	Unicorn-13157.exe
2696	Unicorn-30548.exe
2716	Unicorn-13157.exe
2788	Unicorn-59883.exe
2788	Unicorn-59883.exe
2632	Unicorn-49551.exe
2632	Unicorn-49551.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
2960	WerFault.exe
2488	Unicorn-5649.exe
2488	Unicorn-5649.exe
2772	Unicorn-25421.exe
2772	Unicorn-25421.exe
2696	Unicorn-30548.exe
2696	Unicorn-30548.exe
520	Unicorn-53433.exe
2916	Unicorn-5265.exe
520	Unicorn-53433.exe
2916	Unicorn-5265.exe
2384	Unicorn-50937.exe
2384	Unicorn-50937.exe
2852	Unicorn-21602.exe
2852	Unicorn-21602.exe
2788	Unicorn-59883.exe
2788	Unicorn-59883.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2776	468	WerFault.exe	29
2504	2216	WerFault.exe	30
2960	2716	WerFault.exe	32
1532	2632	WerFault.exe	31
1340	2772	WerFault.exe	34
1488	2696	WerFault.exe	36
2256	2788	WerFault.exe	35
3040	2488	WerFault.exe	38
692	2916	WerFault.exe	39
748	2384	WerFault.exe	40
2424	1712	WerFault.exe	48
1012	972	WerFault.exe	47
1592	1344	WerFault.exe	50
556	2016	WerFault.exe	45
1320	824	WerFault.exe	49
2596	2348	WerFault.exe	46
512	2116	WerFault.exe	60
3032	1136	WerFault.exe	57
1404	2952	WerFault.exe	61
2956	520	WerFault.exe	42
2316	1680	WerFault.exe	51
2372	2704	WerFault.exe	52
2064	1608	WerFault.exe	56
2156	2852	WerFault.exe	41
828	2720	WerFault.exe	63
2020	2552	WerFault.exe	64
2392	2480	WerFault.exe	58
1252	552	WerFault.exe	80
1384	1644	WerFault.exe	59
1008	2908	WerFault.exe	65
2928	540	WerFault.exe	72
2940	1428	WerFault.exe	77
2312	2004	WerFault.exe	78
2600	2068	WerFault.exe	90
3044	2624	WerFault.exe	76
2028	3024	WerFault.exe	75
2904	3048	WerFault.exe	95
2988	2856	WerFault.exe	73
560	1612	WerFault.exe	87
2560	1108	WerFault.exe	62
1312	2752	WerFault.exe	74
2056	2884	WerFault.exe	71
3256	2540	WerFault.exe	68
3268	896	WerFault.exe	81
3276	2556	WerFault.exe	66
3284	2868	WerFault.exe	70
3364	928	WerFault.exe	114
3408	1316	WerFault.exe	120
3512	2184	WerFault.exe	98
3504	3068	WerFault.exe	88
3540	2936	WerFault.exe	91
3612	3000	WerFault.exe	111
3620	2080	WerFault.exe	89
3692	2692	WerFault.exe	118
3724	2820	WerFault.exe	96
3784	2440	WerFault.exe	113
4008	2572	WerFault.exe	99
4016	1568	WerFault.exe	112
4024	1932	WerFault.exe	100
4040	2780	WerFault.exe	117
3176	1772	WerFault.exe	102
3292	756	WerFault.exe	107
3468	2260	WerFault.exe	115
3500	1220	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36143.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37816.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58457.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8318.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37536.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51739.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5649.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54983.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42036.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33197.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5265.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49830.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25792.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49551.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
2216	Unicorn-64805.exe
2716	Unicorn-13157.exe
2632	Unicorn-49551.exe
2772	Unicorn-25421.exe
2788	Unicorn-59883.exe
2696	Unicorn-30548.exe
2488	Unicorn-5649.exe
2916	Unicorn-5265.exe
520	Unicorn-53433.exe
2852	Unicorn-21602.exe
2384	Unicorn-50937.exe
2016	Unicorn-58457.exe
2348	Unicorn-41471.exe
972	Unicorn-8223.exe
1712	Unicorn-47440.exe
824	Unicorn-44617.exe
1344	Unicorn-3065.exe
2704	Unicorn-35545.exe
1680	Unicorn-15811.exe
1608	Unicorn-48644.exe
1136	Unicorn-33197.exe
2480	Unicorn-54983.exe
2116	Unicorn-41553.exe
1644	Unicorn-8496.exe
2952	Unicorn-42382.exe
1108	Unicorn-42382.exe
2556	Unicorn-1610.exe
2908	Unicorn-3063.exe
2540	Unicorn-53115.exe
2552	Unicorn-3063.exe
2856	Unicorn-41029.exe
2720	Unicorn-48735.exe
2868	Unicorn-41138.exe
2884	Unicorn-4744.exe
3024	Unicorn-29570.exe
2624	Unicorn-1470.exe
2752	Unicorn-30853.exe
540	Unicorn-21163.exe
1428	Unicorn-32149.exe
2004	Unicorn-51631.exe
552	Unicorn-28409.exe
896	Unicorn-44745.exe
1612	Unicorn-11164.exe
3068	Unicorn-14262.exe
2068	Unicorn-49239.exe
2080	Unicorn-13037.exe
2936	Unicorn-19197.exe
3048	Unicorn-11600.exe
2820	Unicorn-43505.exe
2184	Unicorn-59841.exe
2572	Unicorn-64008.exe
1932	Unicorn-54875.exe
1772	Unicorn-57506.exe
756	Unicorn-10500.exe
3000	Unicorn-50275.exe
2440	Unicorn-50275.exe
1220	Unicorn-30409.exe
1568	Unicorn-50275.exe
2780	Unicorn-50275.exe
928	Unicorn-50275.exe
2260	Unicorn-50275.exe
2144	Unicorn-50275.exe
2692	Unicorn-2994.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 2216	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	30
PID 468 wrote to memory of 2216	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	30
PID 468 wrote to memory of 2216	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	30
PID 468 wrote to memory of 2216	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	30
PID 2216 wrote to memory of 2632	2216	Unicorn-64805.exe	31
PID 2216 wrote to memory of 2632	2216	Unicorn-64805.exe	31
PID 2216 wrote to memory of 2632	2216	Unicorn-64805.exe	31
PID 2216 wrote to memory of 2632	2216	Unicorn-64805.exe	31
PID 468 wrote to memory of 2716	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	32
PID 468 wrote to memory of 2716	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	32
PID 468 wrote to memory of 2716	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	32
PID 468 wrote to memory of 2716	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	32
PID 468 wrote to memory of 2776	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	33
PID 468 wrote to memory of 2776	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	33
PID 468 wrote to memory of 2776	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	33
PID 468 wrote to memory of 2776	468	58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe	33
PID 2716 wrote to memory of 2772	2716	Unicorn-13157.exe	34
PID 2716 wrote to memory of 2772	2716	Unicorn-13157.exe	34
PID 2716 wrote to memory of 2772	2716	Unicorn-13157.exe	34
PID 2716 wrote to memory of 2772	2716	Unicorn-13157.exe	34
PID 2632 wrote to memory of 2696	2632	Unicorn-49551.exe	36
PID 2632 wrote to memory of 2696	2632	Unicorn-49551.exe	36
PID 2632 wrote to memory of 2696	2632	Unicorn-49551.exe	36
PID 2632 wrote to memory of 2696	2632	Unicorn-49551.exe	36
PID 2216 wrote to memory of 2788	2216	Unicorn-64805.exe	35
PID 2216 wrote to memory of 2788	2216	Unicorn-64805.exe	35
PID 2216 wrote to memory of 2788	2216	Unicorn-64805.exe	35
PID 2216 wrote to memory of 2788	2216	Unicorn-64805.exe	35
PID 2216 wrote to memory of 2504	2216	Unicorn-64805.exe	37
PID 2216 wrote to memory of 2504	2216	Unicorn-64805.exe	37
PID 2216 wrote to memory of 2504	2216	Unicorn-64805.exe	37
PID 2216 wrote to memory of 2504	2216	Unicorn-64805.exe	37
PID 2772 wrote to memory of 2488	2772	Unicorn-25421.exe	38
PID 2772 wrote to memory of 2488	2772	Unicorn-25421.exe	38
PID 2772 wrote to memory of 2488	2772	Unicorn-25421.exe	38
PID 2772 wrote to memory of 2488	2772	Unicorn-25421.exe	38
PID 2696 wrote to memory of 2916	2696	Unicorn-30548.exe	39
PID 2696 wrote to memory of 2916	2696	Unicorn-30548.exe	39
PID 2696 wrote to memory of 2916	2696	Unicorn-30548.exe	39
PID 2696 wrote to memory of 2916	2696	Unicorn-30548.exe	39
PID 2716 wrote to memory of 2384	2716	Unicorn-13157.exe	40
PID 2716 wrote to memory of 2384	2716	Unicorn-13157.exe	40
PID 2716 wrote to memory of 2384	2716	Unicorn-13157.exe	40
PID 2716 wrote to memory of 2384	2716	Unicorn-13157.exe	40
PID 2788 wrote to memory of 2852	2788	Unicorn-59883.exe	41
PID 2788 wrote to memory of 2852	2788	Unicorn-59883.exe	41
PID 2788 wrote to memory of 2852	2788	Unicorn-59883.exe	41
PID 2788 wrote to memory of 2852	2788	Unicorn-59883.exe	41
PID 2632 wrote to memory of 520	2632	Unicorn-49551.exe	42
PID 2632 wrote to memory of 520	2632	Unicorn-49551.exe	42
PID 2632 wrote to memory of 520	2632	Unicorn-49551.exe	42
PID 2632 wrote to memory of 520	2632	Unicorn-49551.exe	42
PID 2716 wrote to memory of 2960	2716	Unicorn-13157.exe	43
PID 2716 wrote to memory of 2960	2716	Unicorn-13157.exe	43
PID 2716 wrote to memory of 2960	2716	Unicorn-13157.exe	43
PID 2716 wrote to memory of 2960	2716	Unicorn-13157.exe	43
PID 2632 wrote to memory of 1532	2632	Unicorn-49551.exe	44
PID 2632 wrote to memory of 1532	2632	Unicorn-49551.exe	44
PID 2632 wrote to memory of 1532	2632	Unicorn-49551.exe	44
PID 2632 wrote to memory of 1532	2632	Unicorn-49551.exe	44
PID 2488 wrote to memory of 2016	2488	Unicorn-5649.exe	45
PID 2488 wrote to memory of 2016	2488	Unicorn-5649.exe	45
PID 2488 wrote to memory of 2016	2488	Unicorn-5649.exe	45
PID 2488 wrote to memory of 2016	2488	Unicorn-5649.exe	45

C:\Users\Admin\AppData\Local\Temp\58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe
"C:\Users\Admin\AppData\Local\Temp\58590b28d2187be0a21deb516f802f90e1f5af5aa551e2e852416599751aa1b7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\Unicorn-64805.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-64805.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-49551.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-49551.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30548.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30548.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5265.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44617.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44617.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41553.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41553.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1470.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1470.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54875.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        10⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56620.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56620.exe
        11⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10280.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4650.exe
        13⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 216
        12⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 216
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 216
        10⤵
        Program crash
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 236
        9⤵
        Program crash
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 236
        8⤵
        Program crash
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32149.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32149.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59841.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22191.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22191.exe
        9⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23896.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23896.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24256.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24256.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37816.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37816.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40446.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40446.exe
        11⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 216
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 216
        9⤵
        Program crash
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 236
        8⤵
        Program crash
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 240
        7⤵
        Program crash
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42382.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51631.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64008.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64008.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        9⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25792.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25792.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43784.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43784.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9694.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9694.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 236
        10⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 236
        9⤵
        Program crash
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 236
        8⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 236
        7⤵
        Program crash
        
        PID:1404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 240
        6⤵
        Program crash
        
        PID:692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8223.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8223.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3063.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44745.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44745.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49239.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43737.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43737.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 240
        11⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 216
        10⤵
        Program crash
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 236
        9⤵
        Program crash
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30409.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30409.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13616.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13616.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37636.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10031.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10031.exe
        11⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46197.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28552.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 216
        10⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 236
        9⤵
        Program crash
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 240
        8⤵
        Program crash
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19197.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59414.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59414.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 220
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 236
        8⤵
        Program crash
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220
        7⤵
        Program crash
        
        PID:1008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 236
        6⤵
        Program crash
        
        PID:1012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 240
        5⤵
        Program crash
        
        PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53433.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53433.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:520
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47440.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47440.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8496.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8496.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28409.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28409.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14262.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5662.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 240
        10⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 236
        9⤵
        Program crash
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 236
        8⤵
        Program crash
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13037.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13037.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27017.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27017.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29497.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29497.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39684.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39684.exe
        11⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 236
        11⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58843.exe
        10⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34846.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34846.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 240
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 236
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 236
        8⤵
        Program crash
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 240
        7⤵
        Program crash
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 216
        6⤵
        Program crash
        
        PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42382.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 220
        7⤵
        Program crash
        
        PID:3364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 236
        6⤵
        Program crash
        
        PID:2560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 240
        5⤵
        Program crash
        
        PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59883.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59883.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21602.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21602.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15811.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15811.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53115.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53115.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20887.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20887.exe
        8⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57637.exe
        9⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42652.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42652.exe
        10⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46197.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 236
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 236
        9⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 216
        8⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 236
        7⤵
        Program crash
        
        PID:3256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 236
        6⤵
        Program crash
        
        PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4744.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4744.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50795.exe
        7⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 240
        8⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 216
        7⤵
        Program crash
        
        PID:4016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 216
        6⤵
        Program crash
        
        PID:2056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 240
        5⤵
        Program crash
        
        PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35545.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35545.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1610.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1610.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8318.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8318.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42036.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42036.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17282.exe
        10⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 236
        10⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 216
        9⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 236
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 216
        7⤵
        
        PID:3340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 236
        6⤵
        Program crash
        
        PID:3276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 236
        5⤵
        Program crash
        
        PID:2372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 220
      4⤵
      Program crash
      PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\Unicorn-13157.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-13157.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25421.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25421.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5649.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5649.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58457.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48644.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48644.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41138.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43346.exe
        9⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 240
        10⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 236
        9⤵
        Program crash
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 236
        8⤵
        Program crash
        
        PID:3284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 236
        7⤵
        Program crash
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21163.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43505.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37536.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37536.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 240
        9⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 236
        8⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 236
        7⤵
        Program crash
        
        PID:2928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 240
        6⤵
        Program crash
        
        PID:556
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33197.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41029.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41029.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10500.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54192.exe
        8⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40552.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51142.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51142.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62865.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62865.exe
        11⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12616.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12616.exe
        12⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 236
        11⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47909.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47909.exe
        10⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58688.exe
        11⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 240
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 236
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 236
        8⤵
        Program crash
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 236
        7⤵
        Program crash
        
        PID:2988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 236
        6⤵
        Program crash
        
        PID:3032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 240
        5⤵
        Program crash
        
        PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41471.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41471.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2348
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54983.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54983.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30853.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30853.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18423.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18423.exe
        7⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 240
        8⤵
        Program crash
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 236
        7⤵
        Program crash
        
        PID:1312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 236
        6⤵
        Program crash
        
        PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29570.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29570.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57506.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57506.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22127.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22127.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49830.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49830.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10280.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63249.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63249.exe
        10⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 236
        10⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48101.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48101.exe
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 220
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 236
        8⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 236
        7⤵
        Program crash
        
        PID:3176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 216
        6⤵
        Program crash
        
        PID:2028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 240
        5⤵
        Program crash
        
        PID:2596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1340
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-50937.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-50937.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3065.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3065.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3063.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11600.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11600.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2994.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2994.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1106.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1106.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 240
        9⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 236
        8⤵
        Program crash
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 236
        7⤵
        Program crash
        
        PID:2904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 236
        6⤵
        Program crash
        
        PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 236
        5⤵
        Program crash
        
        PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48735.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48735.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11164.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50275.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57162.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57162.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36143.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3477.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3477.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51739.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 236
        10⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1505.exe
        9⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 240
        9⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 236
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 236
        7⤵
        Program crash
        
        PID:3784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 236
        6⤵
        Program crash
        
        PID:560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 236
        5⤵
        Program crash
        
        PID:828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 240
      4⤵
      Program crash
      PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 240
  2⤵
  - Program crash
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-13157.exe

Filesize
468KB

MD5
761e5ac9a3725bc5e768c9da61abc645

SHA1
de11da18ff6b26701f4c7247cff60add267c5406

SHA256
8868174ab6620e1b0553049245b4fb82fa416b9db23b6a91e7911b5626bb071f

SHA512
798f607f6df5fc4a560a482ffe86498410d73aafb014b4dc2a8357fe20efbce8d92591af0306d283dcd3b145a9d6750911304a71ec19ecc9196b55ab7281c495

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-21602.exe

Filesize
468KB

MD5
445df17b0978f962e6cdf27b1ce03c6b

SHA1
23c50650816c11280e5af9e64f95b382a391a3fe

SHA256
0cc7ae0bf89fcde1b87520c7ef6e6bdcb94799f707719845442277788dd3eb57

SHA512
de0b1820ad3cde092a612de7422439b7b22dcbd710ca9bc0b7e6d350b1f705aa287beebfdc038d918743d67e2437a1fa82160e47d4e85b445b739e3d96812f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-30548.exe

Filesize
468KB

MD5
59fe04d882268093989f0366463a7a01

SHA1
842edd66ace1bd8f1f921fc2776e338b70acace5

SHA256
22f4f604e1f7caf86fc35f93a062a381310c0114a1d1980f45e758ea65b2d283

SHA512
e60769c3196f2c5c587959a78c8311a8eef3da032e80330821dd82089b673ec52566008b7e2216d6e936e040beb3c21b49fc36f8bf8e548a7bb8bdf2ccc4e210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-53433.exe

Filesize
468KB

MD5
13cea58b4bb392fd8c412aafc79a2b53

SHA1
ee5ef3b310dad542f304db2bb5a34438e8782653

SHA256
63e06c858db49ce8889297fbb19588422bb93f2b50e5a4626c7db47dd0ead2e3

SHA512
9f1b58081731f9bca7308be328ec03080768632e8a48adf7a3a7b79082fad3d8991127928957f79e486084bccf3d5e36c214c96a63e28be10dff427e2ee94345

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-25421.exe

Filesize
468KB

MD5
f63e155a67fcf4dc97cb0d6f68ee0bc8

SHA1
377ba1c2f08a5620a555ac7df1242bcdc390ca66

SHA256
1e303df55afb9c864acd12317d8996ce94e32817668307a527468e1a21d1d05f

SHA512
aa8f89c2bd7317a4161e255bbb3713b930e8db093e21be7244fb1015a714673f54891c8dfbadd55e02fb8a19b8f3750abb8759e9799924397dde894a9b7a2952

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-49551.exe

Filesize
468KB

MD5
0ec547557c502f8406593d3dc02ec7df

SHA1
744a2e540e80335f4110a99ff8d5f8422aa127a6

SHA256
7939298b32254de943a8d226679855f627d8a647d6ee4c7b3a93a99692dde9b7

SHA512
cd2adb39f7eae3c6c55c4cee940bc1581ba3b534440a71f2b55775099dd14ba95c753549a3a16c341a6cd84af1b8450b522f36353d20e521b804aacf32621830

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50937.exe

Filesize
468KB

MD5
0ead210d143dd8202bb242a222dcd4bd

SHA1
e1c49c1a5fd8abca7e6cdd3324d5fae0ee7c34f6

SHA256
54e0276a7f95348d4ef690219afc31638d6d9a2f23ef7e90e9dde6d3d37022b2

SHA512
c687381f112186aa8f77c74b181edca388beff5f6b9b8ceb8d107bd23a070571ee404742d7b036f045d1781b15c93eb2636fbafe3e5190106a27b9670498736e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5265.exe

Filesize
468KB

MD5
dc563d02d3bdfb8f966f3370016dd09d

SHA1
689746842ac14597f5e4d58348ca4e596a746b6f

SHA256
66b4d2a173295424ee2e339dda8a98ef6bc60a282726c39fb82f9a83f7f1f491

SHA512
7bebb96e39ec04abe4c05080dafe634b779b0d174659a86c337f47babfd6b334d8d91ed1cefa52cb9c5644660dd6bb376aa43d31de018cf473d49fc39a43599c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5649.exe

Filesize
468KB

MD5
21cb98c37f8527c4bb47a54b706553c0

SHA1
3e9be47750522f78ea180a925af57f0f12aa9572

SHA256
54b618ade779a96896e17c477825a64af5bae012c1f45a5eb01dc8bf8a4cf46a

SHA512
8c69ed6ea1744a431d738aa3ffe80b410ba16cb428c5c443a55e99ee1db31f2a64884f018dfda55e1fe5f18d7a4c578a8545ab54e17796d57577f140dd211fa0

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-58457.exe

Filesize
468KB

MD5
9cf566d2b11560d56ea4b262cd97b3cc

SHA1
57712cfa37ce356854ba8cf770802b3906b7afad

SHA256
61ea3524c51b78b9c377cc15676d52b83714260e5c7704cb65d2191c978e41b1

SHA512
8f9a63827766973834363f2340baadc297da2c12e13043ff77c868e324eb14864bcabb1e6b3701fb48b2fbd2d8a5256df630b3554d70771a2615ea67f072c85a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-59883.exe

Filesize
468KB

MD5
f91a2bdbe8c18b95bfac2546dbf4ca9e

SHA1
5d2ef17ceefe32a2f229b6b110778c6bda1bf36b

SHA256
22e9ccb4e57d32cbe18674fa69084a6f5445abb88e506d140897b11a067a3bcd

SHA512
78e7e9db9ec7f44dfe8a0316d96ecc1802b652b4060e35ad4cca8fdb02b536f53612483ce11a65a225c18ad16e3d7b335ee70042e3b099ce4a605ee3658d7083

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-64805.exe

Filesize
468KB

MD5
6e8c777dc7a23c16cd91f5e4da13dcad

SHA1
d1d6178651771ee0fd116e244ee5d64ff3c2119d

SHA256
a51b22b91c08fd55e240194ba4ea3f8c1b7f7a7a5a0414d06153c84e61270b85

SHA512
aad76826bd79babc3a063ce16f05dc5534e49a6a76fcd5eb2229c81a8844640928ae643c84f80739c1f422afd68c58b1b3ffe4c366f5ac3e4920a44541890a8d

Download Submit
memory/468-370-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/468-29-0x0000000002510000-0x0000000002585000-memory.dmp

Filesize
468KB

Download
memory/468-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/468-6-0x0000000002510000-0x0000000002585000-memory.dmp

Filesize
468KB

Download
memory/520-292-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/520-291-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/520-192-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/520-136-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/520-201-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/540-360-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/824-203-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/824-416-0x0000000002380000-0x00000000023F5000-memory.dmp

Filesize
468KB

Download
memory/824-284-0x0000000002380000-0x00000000023F5000-memory.dmp

Filesize
468KB

Download
memory/824-285-0x0000000002380000-0x00000000023F5000-memory.dmp

Filesize
468KB

Download
memory/972-308-0x0000000002590000-0x0000000002605000-memory.dmp

Filesize
468KB

Download
memory/972-314-0x0000000002590000-0x0000000002605000-memory.dmp

Filesize
468KB

Download
memory/972-190-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1136-258-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1136-365-0x00000000027F0000-0x0000000002865000-memory.dmp

Filesize
468KB

Download
memory/1136-366-0x00000000027F0000-0x0000000002865000-memory.dmp

Filesize
468KB

Download
memory/1344-310-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1344-218-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1344-311-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1428-417-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1608-347-0x00000000026C0000-0x0000000002735000-memory.dmp

Filesize
468KB

Download
memory/1608-344-0x00000000026C0000-0x0000000002735000-memory.dmp

Filesize
468KB

Download
memory/1608-248-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1644-286-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1680-234-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1680-328-0x0000000000820000-0x0000000000895000-memory.dmp

Filesize
468KB

Download
memory/1680-324-0x0000000000820000-0x0000000000895000-memory.dmp

Filesize
468KB

Download
memory/1712-282-0x0000000000370000-0x00000000003E5000-memory.dmp

Filesize
468KB

Download
memory/1712-204-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2016-246-0x0000000002930000-0x00000000029A5000-memory.dmp

Filesize
468KB

Download
memory/2016-247-0x0000000002930000-0x00000000029A5000-memory.dmp

Filesize
468KB

Download
memory/2016-175-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2016-357-0x0000000003460000-0x00000000034D5000-memory.dmp

Filesize
468KB

Download
memory/2016-359-0x0000000003460000-0x00000000034D5000-memory.dmp

Filesize
468KB

Download
memory/2116-390-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2116-386-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2116-287-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2216-25-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2216-382-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2348-177-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2348-267-0x0000000001EA0000-0x0000000001F15000-memory.dmp

Filesize
468KB

Download
memory/2348-266-0x0000000001EA0000-0x0000000001F15000-memory.dmp

Filesize
468KB

Download
memory/2348-378-0x0000000001EA0000-0x0000000001F15000-memory.dmp

Filesize
468KB

Download
memory/2384-133-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2384-213-0x0000000002850000-0x00000000028C5000-memory.dmp

Filesize
468KB

Download
memory/2384-302-0x0000000002850000-0x00000000028C5000-memory.dmp

Filesize
468KB

Download
memory/2384-304-0x0000000002850000-0x00000000028C5000-memory.dmp

Filesize
468KB

Download
memory/2384-217-0x0000000002850000-0x00000000028C5000-memory.dmp

Filesize
468KB

Download
memory/2480-374-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2480-268-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2488-92-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2488-174-0x00000000024C0000-0x0000000002535000-memory.dmp

Filesize
468KB

Download
memory/2488-171-0x00000000024C0000-0x0000000002535000-memory.dmp

Filesize
468KB

Download
memory/2488-257-0x00000000024C0000-0x0000000002535000-memory.dmp

Filesize
468KB

Download
memory/2488-256-0x00000000024C0000-0x0000000002535000-memory.dmp

Filesize
468KB

Download
memory/2540-329-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-322-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2624-392-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2632-33-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2632-135-0x0000000000680000-0x00000000006F5000-memory.dmp

Filesize
468KB

Download
memory/2632-134-0x0000000000680000-0x00000000006F5000-memory.dmp

Filesize
468KB

Download
memory/2696-68-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2696-188-0x0000000001CE0000-0x0000000001D55000-memory.dmp

Filesize
468KB

Download
memory/2696-187-0x0000000001CE0000-0x0000000001D55000-memory.dmp

Filesize
468KB

Download
memory/2704-321-0x0000000000380000-0x00000000003F5000-memory.dmp

Filesize
468KB

Download
memory/2704-232-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2716-47-0x00000000024E0000-0x0000000002555000-memory.dmp

Filesize
468KB

Download
memory/2716-46-0x00000000024E0000-0x0000000002555000-memory.dmp

Filesize
468KB

Download
memory/2720-312-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2752-376-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2772-172-0x0000000002490000-0x0000000002505000-memory.dmp

Filesize
468KB

Download
memory/2772-173-0x0000000002490000-0x0000000002505000-memory.dmp

Filesize
468KB

Download
memory/2772-91-0x0000000002490000-0x0000000002505000-memory.dmp

Filesize
468KB

Download
memory/2772-49-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2788-66-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2788-235-0x0000000001D10000-0x0000000001D85000-memory.dmp

Filesize
468KB

Download
memory/2788-236-0x0000000001D10000-0x0000000001D85000-memory.dmp

Filesize
468KB

Download
memory/2852-345-0x0000000000360000-0x00000000003D5000-memory.dmp

Filesize
468KB

Download
memory/2852-346-0x0000000000360000-0x00000000003D5000-memory.dmp

Filesize
468KB

Download
memory/2852-137-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2852-233-0x0000000000360000-0x00000000003D5000-memory.dmp

Filesize
468KB

Download
memory/2852-231-0x0000000000360000-0x00000000003D5000-memory.dmp

Filesize
468KB

Download
memory/2856-367-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2868-348-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2884-349-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2916-138-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2916-202-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2916-290-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2916-194-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2916-293-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2952-294-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3024-384-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download