9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799a

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
Size

468KB
MD5

3b925222c001876f001eb6dd3c765f90
SHA1

b1cba4dfe2ce888bc61b0837d66b493f876d246d
SHA256

9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799a
SHA512

b355286318bde64a5adf5d71b292b06e7b4a13b4478d512e6899bb2917256871e23f35da2bbf4b04a9ee6c0ccda3a4f746c2e6224f5c7971fe541ec7a360cfa7
SSDEEP

3072:KTANoSKVI95UtbY2PQYjcf8/PrMDPgpwVmHeefsNm4x81rRuk3le:KTqow7UtlP1jcfPcQ7m4+BRuk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
3020	Unicorn-8260.exe
2748	Unicorn-23850.exe
2680	Unicorn-14394.exe
2904	Unicorn-63761.exe
2596	Unicorn-42402.exe
2628	Unicorn-5126.exe
1516	Unicorn-42205.exe
1464	Unicorn-8629.exe
2020	Unicorn-710.exe
1064	Unicorn-16300.exe
1968	Unicorn-32802.exe
2400	Unicorn-48775.exe
2952	Unicorn-11115.exe
908	Unicorn-10212.exe
1128	Unicorn-42823.exe
1608	Unicorn-9247.exe
1200	Unicorn-41209.exe
2196	Unicorn-49603.exe
768	Unicorn-46069.exe
352	Unicorn-10511.exe
2312	Unicorn-15831.exe
2936	Unicorn-25234.exe
804	Unicorn-33724.exe
340	Unicorn-43127.exe
2976	Unicorn-41394.exe
1768	Unicorn-14040.exe
1364	Unicorn-6038.exe
2772	Unicorn-3153.exe
2704	Unicorn-41337.exe
2708	Unicorn-50740.exe
2576	Unicorn-30834.exe
2668	Unicorn-7564.exe
2592	Unicorn-4679.exe
2428	Unicorn-46947.exe
1684	Unicorn-22997.exe
1976	Unicorn-38945.exe
1992	Unicorn-30777.exe
2296	Unicorn-27892.exe
1464	Unicorn-19724.exe
2612	Unicorn-28743.exe
1496	Unicorn-20575.exe
2064	Unicorn-29978.exe
1068	Unicorn-29978.exe
2376	Unicorn-13867.exe

Loads dropped DLL 64 IoCs

pid	Process
2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
3020	Unicorn-8260.exe
3020	Unicorn-8260.exe
2748	Unicorn-23850.exe
2748	Unicorn-23850.exe
2680	Unicorn-14394.exe
2680	Unicorn-14394.exe
2904	Unicorn-63761.exe
2904	Unicorn-63761.exe
2596	Unicorn-42402.exe
2596	Unicorn-42402.exe
2628	Unicorn-5126.exe
2628	Unicorn-5126.exe
1516	Unicorn-42205.exe
1516	Unicorn-42205.exe
1464	Unicorn-8629.exe
1464	Unicorn-8629.exe
2020	Unicorn-710.exe
2020	Unicorn-710.exe
1064	Unicorn-16300.exe
1064	Unicorn-16300.exe
1968	Unicorn-32802.exe
1968	Unicorn-32802.exe
2400	Unicorn-48775.exe
2400	Unicorn-48775.exe
2952	Unicorn-11115.exe
2952	Unicorn-11115.exe
908	Unicorn-10212.exe
908	Unicorn-10212.exe
1128	Unicorn-42823.exe
1128	Unicorn-42823.exe
1608	Unicorn-9247.exe
1608	Unicorn-9247.exe
1200	Unicorn-41209.exe
1200	Unicorn-41209.exe
2196	Unicorn-49603.exe
2196	Unicorn-49603.exe
768	Unicorn-46069.exe
768	Unicorn-46069.exe
352	Unicorn-10511.exe
352	Unicorn-10511.exe
2312	Unicorn-15831.exe
2312	Unicorn-15831.exe
2936	Unicorn-25234.exe
2936	Unicorn-25234.exe
804	Unicorn-33724.exe
804	Unicorn-33724.exe
340	Unicorn-43127.exe
340	Unicorn-43127.exe
2976	Unicorn-41394.exe
2976	Unicorn-41394.exe
1768	Unicorn-14040.exe
1768	Unicorn-14040.exe
1364	Unicorn-6038.exe
1364	Unicorn-6038.exe
2772	Unicorn-3153.exe
2772	Unicorn-3153.exe
2704	Unicorn-41337.exe
2704	Unicorn-41337.exe
2708	Unicorn-50740.exe
2708	Unicorn-50740.exe
2576	Unicorn-30834.exe
2576	Unicorn-30834.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2736	2328	WerFault.exe	30
2908	1496	WerFault.exe	72

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38945.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48775.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41337.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27892.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4679.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42402.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15831.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32802.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30834.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28743.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
3020	Unicorn-8260.exe
2748	Unicorn-23850.exe
2680	Unicorn-14394.exe
2904	Unicorn-63761.exe
2596	Unicorn-42402.exe
2628	Unicorn-5126.exe
1516	Unicorn-42205.exe
1464	Unicorn-8629.exe
2020	Unicorn-710.exe
1064	Unicorn-16300.exe
1968	Unicorn-32802.exe
2400	Unicorn-48775.exe
2952	Unicorn-11115.exe
908	Unicorn-10212.exe
1128	Unicorn-42823.exe
1608	Unicorn-9247.exe
1200	Unicorn-41209.exe
2196	Unicorn-49603.exe
768	Unicorn-46069.exe
352	Unicorn-10511.exe
2312	Unicorn-15831.exe
2936	Unicorn-25234.exe
804	Unicorn-33724.exe
340	Unicorn-43127.exe
2976	Unicorn-41394.exe
1768	Unicorn-14040.exe
1364	Unicorn-6038.exe
2772	Unicorn-3153.exe
2704	Unicorn-41337.exe
2708	Unicorn-50740.exe
2576	Unicorn-30834.exe
2668	Unicorn-7564.exe
2592	Unicorn-4679.exe
2428	Unicorn-46947.exe
1684	Unicorn-22997.exe
1976	Unicorn-38945.exe
1992	Unicorn-30777.exe
2296	Unicorn-27892.exe
1464	Unicorn-19724.exe
2612	Unicorn-28743.exe
1496	Unicorn-20575.exe
1068	Unicorn-29978.exe
2376	Unicorn-13867.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3020	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	31
PID 2328 wrote to memory of 3020	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	31
PID 2328 wrote to memory of 3020	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	31
PID 2328 wrote to memory of 3020	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	31
PID 2328 wrote to memory of 2736	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	32
PID 2328 wrote to memory of 2736	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	32
PID 2328 wrote to memory of 2736	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	32
PID 2328 wrote to memory of 2736	2328	9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe	32
PID 3020 wrote to memory of 2748	3020	Unicorn-8260.exe	33
PID 3020 wrote to memory of 2748	3020	Unicorn-8260.exe	33
PID 3020 wrote to memory of 2748	3020	Unicorn-8260.exe	33
PID 3020 wrote to memory of 2748	3020	Unicorn-8260.exe	33
PID 2748 wrote to memory of 2680	2748	Unicorn-23850.exe	34
PID 2748 wrote to memory of 2680	2748	Unicorn-23850.exe	34
PID 2748 wrote to memory of 2680	2748	Unicorn-23850.exe	34
PID 2748 wrote to memory of 2680	2748	Unicorn-23850.exe	34
PID 2680 wrote to memory of 2904	2680	Unicorn-14394.exe	35
PID 2680 wrote to memory of 2904	2680	Unicorn-14394.exe	35
PID 2680 wrote to memory of 2904	2680	Unicorn-14394.exe	35
PID 2680 wrote to memory of 2904	2680	Unicorn-14394.exe	35
PID 2904 wrote to memory of 2596	2904	Unicorn-63761.exe	36
PID 2904 wrote to memory of 2596	2904	Unicorn-63761.exe	36
PID 2904 wrote to memory of 2596	2904	Unicorn-63761.exe	36
PID 2904 wrote to memory of 2596	2904	Unicorn-63761.exe	36
PID 2596 wrote to memory of 2628	2596	Unicorn-42402.exe	37
PID 2596 wrote to memory of 2628	2596	Unicorn-42402.exe	37
PID 2596 wrote to memory of 2628	2596	Unicorn-42402.exe	37
PID 2596 wrote to memory of 2628	2596	Unicorn-42402.exe	37
PID 2628 wrote to memory of 1516	2628	Unicorn-5126.exe	38
PID 2628 wrote to memory of 1516	2628	Unicorn-5126.exe	38
PID 2628 wrote to memory of 1516	2628	Unicorn-5126.exe	38
PID 2628 wrote to memory of 1516	2628	Unicorn-5126.exe	38
PID 1516 wrote to memory of 1464	1516	Unicorn-42205.exe	39
PID 1516 wrote to memory of 1464	1516	Unicorn-42205.exe	39
PID 1516 wrote to memory of 1464	1516	Unicorn-42205.exe	39
PID 1516 wrote to memory of 1464	1516	Unicorn-42205.exe	39
PID 1464 wrote to memory of 2020	1464	Unicorn-8629.exe	40
PID 1464 wrote to memory of 2020	1464	Unicorn-8629.exe	40
PID 1464 wrote to memory of 2020	1464	Unicorn-8629.exe	40
PID 1464 wrote to memory of 2020	1464	Unicorn-8629.exe	40
PID 2020 wrote to memory of 1064	2020	Unicorn-710.exe	41
PID 2020 wrote to memory of 1064	2020	Unicorn-710.exe	41
PID 2020 wrote to memory of 1064	2020	Unicorn-710.exe	41
PID 2020 wrote to memory of 1064	2020	Unicorn-710.exe	41
PID 1064 wrote to memory of 1968	1064	Unicorn-16300.exe	42
PID 1064 wrote to memory of 1968	1064	Unicorn-16300.exe	42
PID 1064 wrote to memory of 1968	1064	Unicorn-16300.exe	42
PID 1064 wrote to memory of 1968	1064	Unicorn-16300.exe	42
PID 1968 wrote to memory of 2400	1968	Unicorn-32802.exe	43
PID 1968 wrote to memory of 2400	1968	Unicorn-32802.exe	43
PID 1968 wrote to memory of 2400	1968	Unicorn-32802.exe	43
PID 1968 wrote to memory of 2400	1968	Unicorn-32802.exe	43
PID 2400 wrote to memory of 2952	2400	Unicorn-48775.exe	44
PID 2400 wrote to memory of 2952	2400	Unicorn-48775.exe	44
PID 2400 wrote to memory of 2952	2400	Unicorn-48775.exe	44
PID 2400 wrote to memory of 2952	2400	Unicorn-48775.exe	44
PID 2952 wrote to memory of 908	2952	Unicorn-11115.exe	45
PID 2952 wrote to memory of 908	2952	Unicorn-11115.exe	45
PID 2952 wrote to memory of 908	2952	Unicorn-11115.exe	45
PID 2952 wrote to memory of 908	2952	Unicorn-11115.exe	45
PID 908 wrote to memory of 1128	908	Unicorn-10212.exe	46
PID 908 wrote to memory of 1128	908	Unicorn-10212.exe	46
PID 908 wrote to memory of 1128	908	Unicorn-10212.exe	46
PID 908 wrote to memory of 1128	908	Unicorn-10212.exe	46

C:\Users\Admin\AppData\Local\Temp\9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe
"C:\Users\Admin\AppData\Local\Temp\9127699363769454d7969cc343d08e8d3c996a7b1675717280371f7023f4799aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Unicorn-8260.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-8260.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-23850.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-23850.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14394.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14394.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63761.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42402.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5126.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5126.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42205.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42205.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8629.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-710.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16300.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16300.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32802.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32802.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48775.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48775.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11115.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11115.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10212.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42823.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9247.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9247.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41209.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41209.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49603.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49603.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46069.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10511.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10511.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15831.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25234.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33724.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43127.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43127.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41394.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41394.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14040.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14040.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6038.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6038.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3153.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41337.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41337.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50740.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30834.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30834.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7564.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4679.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46947.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46947.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38945.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27892.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27892.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28743.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28743.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29978.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13867.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13867.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22997.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30777.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30777.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19724.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20575.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20575.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29978.exe
        38⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 216
        38⤵
        Program crash
        
        PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 236
  2⤵
  - Program crash
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10212.exe

Filesize
468KB

MD5
c0518bd573220f1626e492c9daef9d5b

SHA1
3bdd101e32d07a3071537a30192a56664cfa080c

SHA256
19a0c5a605794fea982a1479659d6b7784019693c8046a0fb081cc0b9b0e3270

SHA512
b6eb8fdd6510efc3bb819d1a3f9c09d9f7fd5cb886c93dabb050ca189c7db947254e5eeb242df462bd680a29e234491e06f8308f5e82b58dd2be25918c9db6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-8629.exe

Filesize
468KB

MD5
05ca4c3a6475af3fa7faf64bfca4a28a

SHA1
67e2f7e9d49c1d633e5042496945ae59c1708c5e

SHA256
c3318f4cf0ca2ac3ac5a98c01bad8421121b08893288a18806aa0308293785cc

SHA512
3da2fd9a6fae5f11b77bb0203ee1c8ef20c954568cd265e4fa257b39346b059ae1b52d07d1ddc8d6e88111c1080e665e51a5fc905037f40be502e6c3806ca68c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11115.exe

Filesize
468KB

MD5
9d13b9dee14863095ea3bbb4a27974c5

SHA1
baa05156fa42ec0915d1ebeaa6a2f4907b2282ad

SHA256
f69e143918ac6aa2237233c772d183ea6c00c072d9db0971f739020a4cf7670e

SHA512
07f9ecc3651f2b0d174a9f343065d47800b5d9b63b0c0f8fd060c5748bf7623ca7736cec0f54a38c5f591110faf0821c67bd46e64790643276b46f70c865fbd0

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-14394.exe

Filesize
468KB

MD5
e83e4f402d953dc494c4373508042b5d

SHA1
524455e42b11cc7dd2d43971d889d1750d50dd11

SHA256
a5d8c104c071426323cae42dce45441c2eb4920ac8c70d9ac08bce26f2b385f7

SHA512
ad0a394df20182df44ccb03df199ccf6e0b7811658da7336b7fba10e1e55ff369f7ded7af52e9c25e4db908e8ec9f0ede5bcbf35f4c1d72f3035b63f6c9ce8f2

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-16300.exe

Filesize
468KB

MD5
4fd11aecd29ff383d028ac47e3417319

SHA1
751f898bfef1ce247413831707f8745f9bc5870d

SHA256
45dbdf5afe6b09271d5125929ad07dc5f5eb722bb977d4e06a67be726dbad665

SHA512
17244973deb3ccb67cb2f830e5310e32d272dbe17de27f26ec28794ba02eee4c3cbe26d8a773b55c990f1d6ff33478e2a97d0f6c27982077ba01e0b06634c7ff

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-23850.exe

Filesize
468KB

MD5
40afdb57431df8f54bf4494c57440a56

SHA1
36c3d469633c08a0e062d27bb68313911cba1cbb

SHA256
1a5074cab230061c26a40e07fbf3157f3de1e116017f1acc2177111f16dda106

SHA512
4db74ce38a2fdc040b7370a7e18d1f12884d34edfec84ce3a2e1204553b20ff888b5dcaafefce2799e87c10a9c87683a1fdbfae3daf76865155545140f5faa6a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-32802.exe

Filesize
468KB

MD5
68795b951ee26ad74af0bc097ee1831c

SHA1
c3ca355f7db6fa2f05497daf011b1e7b2140b535

SHA256
095a726d19816ca68c4c7745640725e390ef876f9dd5165a5e0b0d1bd7d468da

SHA512
f58ec56fd0b326277ce224408c34a8487f2363f904a1c0ae77cc4d5cc00ea217827f04697c74f7fd81b9b8120d5d318e2f4b25945f0ee2c32ab20d5e4de6ab64

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42205.exe

Filesize
468KB

MD5
cbe7542ebfcab654d4a3957c7144ae35

SHA1
aeb76986c94e6bc5cd74b0e5d09f8b4693fa84a6

SHA256
ee0fb53fff72ebd46aa26b0900f4ef3db93b2e166f39845f2a0d73654faba876

SHA512
cc2f827f59e87fe10a6740916422db4df297eb71a3ed838bba274ac3da83c0d6b39a11fb171b9e7a3e6cb68dc587d4cc6552000b5100f0e42f26f29943bba594

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42402.exe

Filesize
468KB

MD5
8548241af41a8ce12e91d6e6f05ea570

SHA1
31fd3a33238d44adda69ca3ce4ac07dd932078f0

SHA256
dedb967b4c83fee175334e76ddc823d20186f9cd13470bf10606df6959df5553

SHA512
ee768ac747950a1e709480b035c06cadb432547a583516a0bda972a02b004fc069043764d64c27773e15a67a002a068f594d44713dd5ac68a78cf211f378d4bd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-42823.exe

Filesize
468KB

MD5
da135ee543d634cdb670cea637d9fdfb

SHA1
8f61bab5bbc99d32465dac7dbdb8a44132d2e085

SHA256
1330d0aecaa8b2493eb34e351d49df55665431ad2a74b8ce78977f5d5cd6c769

SHA512
4c666bac12438c061af454492ce47fa410d64e26c4dbba3ab3734b6df402fd0e27c7e2bb33a205029340d873ab8d38c4082d45aef089208f7b91d4bd93fe7609

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-48775.exe

Filesize
468KB

MD5
92d89cd26a341aa3b529efe83f576a24

SHA1
9d4409e51c1c10d312d3ca0e04a550ff44843ea6

SHA256
3a6dc9803d7404c10bac73e3938758ebcda24400c6510e312cb6ff0ce892223d

SHA512
8b122bc2f80dfdabe691815903060091a1ed88d7dc9898c34eb5baf2e2aea3856c02333075e9236c576aef43e40954490e6ee6f7c6be9c32fb5dc09e0499d257

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5126.exe

Filesize
468KB

MD5
eb504fef8a2425feb757f6f67b0aab1c

SHA1
e5100addd85ed48cc541fe415a0e6710345af248

SHA256
a0d26ed361402a7dc7ff4211afa0dd98a5b3a4af8fbde47b1e563ff33d5d2c36

SHA512
69136b91503b923d33373fb587c25f69a66c9e9b48da4ee20fb8221ecd5637901b52b1d99cdf25f9accea5addeefe24f865e8eac6be6348f28b8ff58b15ca960

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-63761.exe

Filesize
468KB

MD5
61c6c1cb35b1eef21bf0f0ecad534846

SHA1
8630f34e07122ae7b1f2e27634c56dfe0477c9dc

SHA256
ae851dcb726f6286d116f14ecc8897e06ac02b8ff93f18e52f62f075e63fa2bf

SHA512
e2ef0e82fa6367bfe2d94239ef11bf23bd48d3d338888529cda4ad88bada459f7071ff3d4ec55e6cbaa89724571961d92638dd6e72ec16a9a744a7658b98d709

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-710.exe

Filesize
468KB

MD5
a8760d0457736a5ad13320864e889ad3

SHA1
203a33b3ac917cdddc8d532cb958118ecef529ba

SHA256
f93c99439efe65a35366d54e940b312752658cdbd3049383e7b676bf4b38edf9

SHA512
cb8122ca1918deec8ecb6083052b356c6fd77c7e5b194935eac80e7a5ec488f7eed6086a934f8a5a8dd02f23c537a95caa58b10647adb3233bd6491e1a62da8e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-8260.exe

Filesize
468KB

MD5
741758ef02ba198a32f862ea5c772899

SHA1
5eb34e4445de10cd864df800c02b3197d9916f3b

SHA256
2b53715932ece2c9981b2c1910e840568a3a34b5289ef6b21bc75f03bed7e0a5

SHA512
afe9788d341ca798c33a4d36c117a6df82646ae347395a43ba5f2cb1ccd7ee6b1e05ca959eba9c6e8249c529366864b9740bf2342aadd8a431bcbfc46a807df3

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-9247.exe

Filesize
468KB

MD5
58e743d6e6696a192434ac27ace17cba

SHA1
1f7d0b1b64806c32f1da9c010d1866983352124a

SHA256
61cf2f6471778fa86549dee7398e896f599e7a4bc4adb40f959b1156198abb3d

SHA512
c6a4c98ab19f85af913baf34b81e505d369c0ce9c035b376efcbfcdc4b0ff7f8938ae5d7974a70ed75ac118e6675cfc483a17240a75415e415999126ff130c2b

Download Submit