6bdc4bbf90aba9d022b06b91db2769e4679599b2aeb41deaac50f49901b7db0c

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
Size

188KB
MD5

ff9217ddc744ccae287f3067a046bd03
SHA1

daf024bdf26eb892f33c597ea9fd42bd2306f201
SHA256

6bdc4bbf90aba9d022b06b91db2769e4679599b2aeb41deaac50f49901b7db0c
SHA512

8b35b9502acc6ab6574fb06da52de2280709c5e45637ad3759ec65869a68d96e85da63eab614fcd10ddc88979347a9754873b0c7e1804444cf4c540001eb1f4d
SSDEEP

3072:P0WeokGgCuI+OjTqvwEu7A0aw1JR9WAJOxfvtJO8lv6pFF:P0boelI+wq4Eu7hUvK8lv6pF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2544	Unicorn-47011.exe
2324	Unicorn-12656.exe
2056	Unicorn-46995.exe
2896	Unicorn-50837.exe
2800	Unicorn-12798.exe
1776	Unicorn-32664.exe
820	Unicorn-59975.exe
272	Unicorn-58662.exe
2504	Unicorn-7686.exe
1892	Unicorn-27552.exe
2704	Unicorn-50966.exe
332	Unicorn-55592.exe
2588	Unicorn-45104.exe
2368	Unicorn-58664.exe
2444	Unicorn-12561.exe
2304	Unicorn-24098.exe
3008	Unicorn-49676.exe
1184	Unicorn-23735.exe
1760	Unicorn-60080.exe
744	Unicorn-34594.exe
3048	Unicorn-49590.exe
1624	Unicorn-52662.exe
2440	Unicorn-45734.exe
2272	Unicorn-14239.exe
1840	Unicorn-15547.exe
2356	Unicorn-24889.exe
1264	Unicorn-59455.exe
1708	Unicorn-39589.exe
2316	Unicorn-50306.exe
2060	Unicorn-4634.exe
2912	Unicorn-48702.exe
2780	Unicorn-28448.exe
2668	Unicorn-50466.exe
1888	Unicorn-19232.exe
2672	Unicorn-38701.exe
1808	Unicorn-31645.exe
2832	Unicorn-34717.exe
1152	Unicorn-47270.exe
2952	Unicorn-1167.exe
1984	Unicorn-18188.exe
1312	Unicorn-28573.exe
1684	Unicorn-24105.exe
3020	Unicorn-21870.exe
1792	Unicorn-47273.exe
3016	Unicorn-64133.exe
1368	Unicorn-58985.exe
604	Unicorn-13313.exe
2336	Unicorn-33044.exe
3028	Unicorn-32503.exe
2516	Unicorn-32067.exe
2268	Unicorn-1568.exe
1052	Unicorn-26447.exe
2900	Unicorn-19255.exe
2616	Unicorn-30966.exe
572	Unicorn-44688.exe
2760	Unicorn-7049.exe
2044	Unicorn-40956.exe
1796	Unicorn-53126.exe
684	Unicorn-24315.exe
680	Unicorn-49141.exe
1632	Unicorn-54678.exe
552	Unicorn-35562.exe
1128	Unicorn-607.exe
2828	Unicorn-12252.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
2544	Unicorn-47011.exe
2544	Unicorn-47011.exe
2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
2056	Unicorn-46995.exe
2056	Unicorn-46995.exe
2544	Unicorn-47011.exe
2544	Unicorn-47011.exe
2324	Unicorn-12656.exe
2324	Unicorn-12656.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2800	Unicorn-12798.exe
2800	Unicorn-12798.exe
2896	Unicorn-50837.exe
2896	Unicorn-50837.exe
2056	Unicorn-46995.exe
2056	Unicorn-46995.exe
1776	Unicorn-32664.exe
1776	Unicorn-32664.exe
2324	Unicorn-12656.exe
2324	Unicorn-12656.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2964	WerFault.exe
2960	WerFault.exe
820	Unicorn-59975.exe
820	Unicorn-59975.exe
2800	Unicorn-12798.exe
2800	Unicorn-12798.exe
272	Unicorn-58662.exe
272	Unicorn-58662.exe
2896	Unicorn-50837.exe
2896	Unicorn-50837.exe
2704	Unicorn-50966.exe
2704	Unicorn-50966.exe
1776	Unicorn-32664.exe
1776	Unicorn-32664.exe
2504	Unicorn-7686.exe
2504	Unicorn-7686.exe
1500	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2892	2532	WerFault.exe	29
2776	2544	WerFault.exe	30
2964	2056	WerFault.exe	31
2960	2324	WerFault.exe	32
1500	2800	WerFault.exe	35
2224	2896	WerFault.exe	34
2252	1776	WerFault.exe	36
2888	820	WerFault.exe	38
2724	272	WerFault.exe	39
2628	2704	WerFault.exe	42
2744	1892	WerFault.exe	41
2332	2504	WerFault.exe	40
2560	332	WerFault.exe	45
652	2588	WerFault.exe	46
352	2368	WerFault.exe	47
2076	1184	WerFault.exe	51
2748	3008	WerFault.exe	50
1804	2444	WerFault.exe	48
2840	2304	WerFault.exe	49
2792	3016	WerFault.exe	87
1900	2272	WerFault.exe	61
1232	3048	WerFault.exe	58
1988	1840	WerFault.exe	62
1784	744	WerFault.exe	56
2240	1264	WerFault.exe	65
2500	2912	WerFault.exe	70
2804	1984	WerFault.exe	82
852	1312	WerFault.exe	83
1272	1760	WerFault.exe	54
1816	2952	WerFault.exe	81
2824	2672	WerFault.exe	77
2812	1888	WerFault.exe	76
3060	2668	WerFault.exe	74
3080	1152	WerFault.exe	80
3112	2060	WerFault.exe	67
3140	2356	WerFault.exe	63
3204	2336	WerFault.exe	90
3236	2440	WerFault.exe	60
3284	1624	WerFault.exe	59
3292	2316	WerFault.exe	66
3372	3020	WerFault.exe	85
3400	1708	WerFault.exe	64
3456	1792	WerFault.exe	86
3496	3028	WerFault.exe	91
3548	604	WerFault.exe	89
3556	1368	WerFault.exe	88
3720	2780	WerFault.exe	73
3944	2900	WerFault.exe	100
4060	2760	WerFault.exe	104
4080	684	WerFault.exe	108
4088	1808	WerFault.exe	78
3092	1684	WerFault.exe	84
3200	552	WerFault.exe	111
3244	1796	WerFault.exe	107
3268	680	WerFault.exe	109
3396	2616	WerFault.exe	101
3504	2832	WerFault.exe	79
3564	2516	WerFault.exe	95
3804	2044	WerFault.exe	106
4008	572	WerFault.exe	103
3272	2268	WerFault.exe	96
3712	1632	WerFault.exe	110
3908	1128	WerFault.exe	112
4036	1052	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60512.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59975.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20626.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50837.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42641.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26447.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54678.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23918.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52678.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13288.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55429.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58501.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31645.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19255.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35786.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8320.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21870.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45831.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41194.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60337.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4537.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23735.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
2544	Unicorn-47011.exe
2056	Unicorn-46995.exe
2324	Unicorn-12656.exe
2896	Unicorn-50837.exe
2800	Unicorn-12798.exe
1776	Unicorn-32664.exe
820	Unicorn-59975.exe
272	Unicorn-58662.exe
1892	Unicorn-27552.exe
2504	Unicorn-7686.exe
2704	Unicorn-50966.exe
332	Unicorn-55592.exe
2588	Unicorn-45104.exe
2368	Unicorn-58664.exe
2444	Unicorn-12561.exe
2304	Unicorn-24098.exe
3008	Unicorn-49676.exe
1184	Unicorn-23735.exe
1760	Unicorn-60080.exe
744	Unicorn-34594.exe
3048	Unicorn-49590.exe
1624	Unicorn-52662.exe
2272	Unicorn-14239.exe
2440	Unicorn-45734.exe
1840	Unicorn-15547.exe
2356	Unicorn-24889.exe
1264	Unicorn-59455.exe
1708	Unicorn-39589.exe
2316	Unicorn-50306.exe
2060	Unicorn-4634.exe
2912	Unicorn-48702.exe
2780	Unicorn-28448.exe
2668	Unicorn-50466.exe
1888	Unicorn-19232.exe
2672	Unicorn-38701.exe
1808	Unicorn-31645.exe
2832	Unicorn-34717.exe
1152	Unicorn-47270.exe
2952	Unicorn-1167.exe
1984	Unicorn-18188.exe
1684	Unicorn-24105.exe
1312	Unicorn-28573.exe
3020	Unicorn-21870.exe
1792	Unicorn-47273.exe
3016	Unicorn-64133.exe
1368	Unicorn-58985.exe
604	Unicorn-13313.exe
2336	Unicorn-33044.exe
3028	Unicorn-32503.exe
2516	Unicorn-32067.exe
2268	Unicorn-1568.exe
1052	Unicorn-26447.exe
2900	Unicorn-19255.exe
2616	Unicorn-30966.exe
572	Unicorn-44688.exe
2760	Unicorn-7049.exe
2044	Unicorn-40956.exe
1796	Unicorn-53126.exe
684	Unicorn-24315.exe
680	Unicorn-49141.exe
1632	Unicorn-54678.exe
552	Unicorn-35562.exe
1128	Unicorn-607.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2544	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2544	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2544	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2544	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2324	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2324	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2324	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2324	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2056	2544	Unicorn-47011.exe	31
PID 2544 wrote to memory of 2056	2544	Unicorn-47011.exe	31
PID 2544 wrote to memory of 2056	2544	Unicorn-47011.exe	31
PID 2544 wrote to memory of 2056	2544	Unicorn-47011.exe	31
PID 2532 wrote to memory of 2892	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2892	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2892	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2892	2532	ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2896	2056	Unicorn-46995.exe	34
PID 2056 wrote to memory of 2896	2056	Unicorn-46995.exe	34
PID 2056 wrote to memory of 2896	2056	Unicorn-46995.exe	34
PID 2056 wrote to memory of 2896	2056	Unicorn-46995.exe	34
PID 2544 wrote to memory of 2800	2544	Unicorn-47011.exe	35
PID 2544 wrote to memory of 2800	2544	Unicorn-47011.exe	35
PID 2544 wrote to memory of 2800	2544	Unicorn-47011.exe	35
PID 2544 wrote to memory of 2800	2544	Unicorn-47011.exe	35
PID 2324 wrote to memory of 1776	2324	Unicorn-12656.exe	36
PID 2324 wrote to memory of 1776	2324	Unicorn-12656.exe	36
PID 2324 wrote to memory of 1776	2324	Unicorn-12656.exe	36
PID 2324 wrote to memory of 1776	2324	Unicorn-12656.exe	36
PID 2544 wrote to memory of 2776	2544	Unicorn-47011.exe	37
PID 2544 wrote to memory of 2776	2544	Unicorn-47011.exe	37
PID 2544 wrote to memory of 2776	2544	Unicorn-47011.exe	37
PID 2544 wrote to memory of 2776	2544	Unicorn-47011.exe	37
PID 2800 wrote to memory of 820	2800	Unicorn-12798.exe	38
PID 2800 wrote to memory of 820	2800	Unicorn-12798.exe	38
PID 2800 wrote to memory of 820	2800	Unicorn-12798.exe	38
PID 2800 wrote to memory of 820	2800	Unicorn-12798.exe	38
PID 2896 wrote to memory of 272	2896	Unicorn-50837.exe	39
PID 2896 wrote to memory of 272	2896	Unicorn-50837.exe	39
PID 2896 wrote to memory of 272	2896	Unicorn-50837.exe	39
PID 2896 wrote to memory of 272	2896	Unicorn-50837.exe	39
PID 2056 wrote to memory of 2504	2056	Unicorn-46995.exe	40
PID 2056 wrote to memory of 2504	2056	Unicorn-46995.exe	40
PID 2056 wrote to memory of 2504	2056	Unicorn-46995.exe	40
PID 2056 wrote to memory of 2504	2056	Unicorn-46995.exe	40
PID 1776 wrote to memory of 1892	1776	Unicorn-32664.exe	41
PID 1776 wrote to memory of 1892	1776	Unicorn-32664.exe	41
PID 1776 wrote to memory of 1892	1776	Unicorn-32664.exe	41
PID 1776 wrote to memory of 1892	1776	Unicorn-32664.exe	41
PID 2324 wrote to memory of 2704	2324	Unicorn-12656.exe	42
PID 2324 wrote to memory of 2704	2324	Unicorn-12656.exe	42
PID 2324 wrote to memory of 2704	2324	Unicorn-12656.exe	42
PID 2324 wrote to memory of 2704	2324	Unicorn-12656.exe	42
PID 2056 wrote to memory of 2964	2056	Unicorn-46995.exe	43
PID 2056 wrote to memory of 2964	2056	Unicorn-46995.exe	43
PID 2056 wrote to memory of 2964	2056	Unicorn-46995.exe	43
PID 2056 wrote to memory of 2964	2056	Unicorn-46995.exe	43
PID 2324 wrote to memory of 2960	2324	Unicorn-12656.exe	44
PID 2324 wrote to memory of 2960	2324	Unicorn-12656.exe	44
PID 2324 wrote to memory of 2960	2324	Unicorn-12656.exe	44
PID 2324 wrote to memory of 2960	2324	Unicorn-12656.exe	44
PID 820 wrote to memory of 332	820	Unicorn-59975.exe	45
PID 820 wrote to memory of 332	820	Unicorn-59975.exe	45
PID 820 wrote to memory of 332	820	Unicorn-59975.exe	45
PID 820 wrote to memory of 332	820	Unicorn-59975.exe	45

C:\Users\Admin\AppData\Local\Temp\ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff9217ddc744ccae287f3067a046bd03_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\Unicorn-47011.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-47011.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-46995.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-46995.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50837.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50837.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58662.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:272
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58664.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52662.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19232.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19232.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12252.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12252.exe
        9⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52466.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52466.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60337.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60337.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 236
        12⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 236
        11⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 216
        10⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 236
        9⤵
        Program crash
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34514.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34514.exe
        8⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23698.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23698.exe
        9⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        11⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 216
        11⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 216
        10⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 236
        9⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 240
        8⤵
        Program crash
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38701.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38701.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-607.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11267.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11267.exe
        9⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60337.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60337.exe
        10⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        11⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 236
        11⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 216
        10⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 236
        9⤵
        Program crash
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 236
        8⤵
        Program crash
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 240
        7⤵
        Program crash
        
        PID:352
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14239.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31645.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31645.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7049.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7049.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23918.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23918.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47862.exe
        10⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 236
        12⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 216
        11⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 216
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 236
        9⤵
        Program crash
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62921.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38765.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38765.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55762.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55762.exe
        10⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21093.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21093.exe
        11⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 236
        11⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 216
        10⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 216
        9⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 240
        8⤵
        Program crash
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53126.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53126.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44975.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44975.exe
        8⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50410.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50410.exe
        9⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46546.exe
        10⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62386.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62386.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 216
        11⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 216
        10⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 216
        9⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 236
        8⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 240
        7⤵
        Program crash
        
        PID:1900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 240
        6⤵
        Program crash
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12561.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12561.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15547.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13313.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13313.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60333.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60333.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30699.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30699.exe
        9⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52678.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52678.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 216
        11⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 216
        10⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 216
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 236
        8⤵
        Program crash
        
        PID:3548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 236
        7⤵
        Program crash
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32503.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32503.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5429.exe
        7⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12385.exe
        8⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        9⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        10⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 216
        10⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 216
        9⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 216
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 236
        7⤵
        Program crash
        
        PID:3496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 240
        6⤵
        Program crash
        
        PID:1804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 240
        5⤵
        Program crash
        
        PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7686.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7686.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23735.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23735.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59455.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59455.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28573.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28573.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44688.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60266.exe
        9⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55982.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55982.exe
        10⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-816.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-816.exe
        11⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        12⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 216
        12⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 216
        11⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 236
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 236
        9⤵
        Program crash
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 216
        8⤵
        Program crash
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40956.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40956.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40697.exe
        8⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24905.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24905.exe
        9⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35756.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35756.exe
        10⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28014.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28014.exe
        11⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 236
        11⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 216
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 216
        9⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 236
        8⤵
        Program crash
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 240
        7⤵
        Program crash
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21870.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21870.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11204.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11204.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55788.exe
        8⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16826.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16826.exe
        9⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 236
        10⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 236
        9⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 216
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 236
        7⤵
        Program crash
        
        PID:3372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 240
        6⤵
        Program crash
        
        PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50306.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50306.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64133.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64133.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 240
        7⤵
        Program crash
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1853.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1853.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38939.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38939.exe
        7⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        8⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 236
        9⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 216
        8⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 216
        7⤵
        
        PID:4104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 220
        6⤵
        Program crash
        
        PID:3292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 240
        5⤵
        Program crash
        
        PID:2332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12798.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12798.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59975.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59975.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55592.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55592.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60080.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60080.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48702.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48702.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32067.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        9⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41194.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41194.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47094.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55429.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 216
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 236
        11⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 216
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 236
        9⤵
        Program crash
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 236
        8⤵
        Program crash
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1568.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60391.exe
        8⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6019.exe
        9⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8320.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8320.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28014.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28014.exe
        11⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 216
        11⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 236
        10⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 236
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 236
        8⤵
        Program crash
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 220
        7⤵
        Program crash
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50466.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50466.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26447.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52466.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52466.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40921.exe
        9⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20071.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20071.exe
        10⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 216
        10⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 216
        9⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 236
        8⤵
        Program crash
        
        PID:4036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 236
        7⤵
        Program crash
        
        PID:3060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 240
        6⤵
        Program crash
        
        PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34594.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34594.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28448.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28448.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19255.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19255.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37527.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37527.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12580.exe
        10⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        11⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 216
        11⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 216
        10⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 236
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 216
        8⤵
        Program crash
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45831.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3011.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42641.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47668.exe
        10⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 236
        10⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 216
        9⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 236
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 240
        7⤵
        Program crash
        
        PID:3720
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30966.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30966.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        7⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44790.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44790.exe
        8⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7895.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7895.exe
        9⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15482.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15482.exe
        10⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 236
        10⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 216
        9⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 216
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 216
        7⤵
        Program crash
        
        PID:3396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 240
        6⤵
        Program crash
        
        PID:1784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 240
        5⤵
        Program crash
        
        PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45104.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45104.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49590.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34717.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49141.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49141.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29549.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29549.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 216
        11⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 216
        10⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 216
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 236
        8⤵
        Program crash
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45831.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45831.exe
        7⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44266.exe
        8⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1650.exe
        9⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35786.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35786.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 216
        10⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 216
        9⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 216
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 240
        7⤵
        Program crash
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35562.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35562.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17774.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17774.exe
        7⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3591.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4537.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58501.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58501.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 236
        10⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 216
        9⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 216
        8⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 236
        7⤵
        Program crash
        
        PID:3200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 240
        6⤵
        Program crash
        
        PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1167.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1167.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54678.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54678.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30748.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30748.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40921.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-353.exe
        9⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 216
        9⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 236
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 236
        7⤵
        Program crash
        
        PID:3712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 236
        6⤵
        Program crash
        
        PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 240
        5⤵
        Program crash
        
        PID:652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\Unicorn-12656.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-12656.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-32664.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-32664.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27552.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27552.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45734.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45734.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33044.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33044.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54380.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54380.exe
        7⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9888.exe
        8⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        9⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        10⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 216
        10⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 236
        9⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 236
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 216
        7⤵
        Program crash
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5973.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5973.exe
        6⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20626.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        8⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 216
        9⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 216
        8⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 236
        7⤵
        
        PID:4132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 240
        6⤵
        Program crash
        
        PID:3236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 236
        5⤵
        Program crash
        
        PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49676.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49676.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4634.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4634.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47270.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12252.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12252.exe
        7⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52293.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52293.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13288.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13288.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        10⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 236
        10⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 236
        9⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 236
        8⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 236
        7⤵
        Program crash
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33990.exe
        6⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31676.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31676.exe
        7⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7144.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7144.exe
        8⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 216
        9⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 216
        8⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 236
        7⤵
        
        PID:3524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 240
        6⤵
        Program crash
        
        PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18188.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24315.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24315.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-159.exe
        7⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30073.exe
        8⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        9⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        10⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 216
        10⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 216
        9⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 216
        8⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 236
        7⤵
        Program crash
        
        PID:4080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 236
        6⤵
        Program crash
        
        PID:2804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 240
        5⤵
        Program crash
        
        PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 240
      4⤵
      Program crash
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-50966.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-50966.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24098.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24098.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24889.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24889.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47273.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47273.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21719.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21719.exe
        7⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25198.exe
        8⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60512.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60512.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 148
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 216
        9⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 236
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 236
        7⤵
        Program crash
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46612.exe
        6⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12052.exe
        7⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21076.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 236
        9⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 236
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 236
        7⤵
        
        PID:3436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 240
        6⤵
        Program crash
        
        PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58985.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58985.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8727.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8727.exe
        6⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30699.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30699.exe
        7⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        8⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 216
        9⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 216
        8⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 236
        7⤵
        
        PID:4248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 216
        6⤵
        Program crash
        
        PID:3556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 240
        5⤵
        Program crash
        
        PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39589.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39589.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24105.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24105.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62921.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50934.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50934.exe
        7⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 236
        9⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 216
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 216
        7⤵
        
        PID:4560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 236
        6⤵
        Program crash
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28370.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28370.exe
        5⤵
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2312.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2312.exe
        6⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20084.exe
        7⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 216
        8⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 216
        7⤵
        
        PID:5852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 236
        6⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 240
        5⤵
        Program crash
        
        PID:3400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 240
      4⤵
      Program crash
      PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 240
  2⤵
  - Program crash
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-12656.exe

Filesize
188KB

MD5
4e9ad9f2cc70d1c0a749428a98b9e864

SHA1
75f7a805b6fc6572451b76091cf0966cfe07213d

SHA256
e0cd5e2aa6e49976dee57e8e0364d4ad20fcb32918069fc261a11035938605fa

SHA512
7c87f16c606fb3b77d57a2c1f8e3e55b1ca3f37b5b7ad5d346d2ae5c4068681451e2a1fc3e910c35b3ffcf72d522d5c5781f40e9d43d8171ae660f1e388d6313

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-29549.exe

Filesize
188KB

MD5
0b66a3235612b70b2b782f23321f2dc4

SHA1
72ee3824b382243aa54f9658be08fca5d2a881e4

SHA256
9a938070478d93a0384b5d9e98be0d3b1a979ce12a2351587f02de26b4d8edc2

SHA512
16b83d44c9f6e73b9008a09363ca299864bcc388ec4b94e91b40f0258c729af88a75b58d7059acd3ea9b4455cae81fe2a1a8c80350b779a4f3d78190e2fbf121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-32664.exe

Filesize
188KB

MD5
cd144de201c3e3d80e99dae79c7e6943

SHA1
af0ec0d35be3cea933f90f90f710572e9489ee51

SHA256
5b8bef593fdad1c3b8c6571a00eaa649831f5c3bb9747236654dd919fed0b0f4

SHA512
a59cf31bd847c4ae1b19eda61584822345a8c2ec0b6908240b0ef7f47a4fdb07b233f4b96bdbc140ca2822bbe21892aa6307ae29d3a12debf6ab4a76f4054ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-40956.exe

Filesize
188KB

MD5
0498e40bb2d1cfb0193ab9976c920f9c

SHA1
e452e04ebaa8a2e3616073b60f4933c8e62b542e

SHA256
bab285d0049f4d32da8f05a0c4184116309ee429a97c6a1335102d649a90c681

SHA512
7189cb8618cc8677a8d02f0e41b3ed2d464d81fd0188124c4b9b484614ccc73a96342c3c68c6fbfb50e2d222d1803c05b2d9a921a1949b432cbf9b0211da4442

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-12798.exe

Filesize
188KB

MD5
68e9c413bfba28ba25014388db51d811

SHA1
d998c00051c5000c0701493792f30ce11d0dffe1

SHA256
bfde044226a5201d05141e44d49349fd7ad4a5a64d967e9e176f418220b99d3d

SHA512
10725cac2651c601b8d4ec63cea8cc12737f5ca671c9091a6d5b36459fc665af5cac0081e478f0b6e7693500d6e529c6f4101673559e1df3c6dc512a9626ea7d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-27552.exe

Filesize
188KB

MD5
34daddeedd045607c1b9a096d6921069

SHA1
e81c78e5dee6d4eaaf1b3e9ff7f5440f3c2fe0e1

SHA256
d4d08c035f1d8f02b923bdc75d12336f644d77879dbb8b71adf51e9c32052baf

SHA512
36350b782a123b79d4f99e30aaed42d37f26d621c53f827b403e75c683376ce6df5a76b8dfa3f2ff557fdc2098a988b1d4efb5840abd111b9d98600587042874

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-46995.exe

Filesize
188KB

MD5
ceb25ea027ecf5d75abcea0670e52b51

SHA1
c703ae1c9e8f5a9b3c25a81230b69ee7db99e471

SHA256
b53fc098548d74a3ca6a1b605163436646ffb3c8b5decc2eab208e5cfa085536

SHA512
3f499d5acd073e973e3e387d5934d92335dc9eece8712140ff4da458d9ac35ff5124fe19fcb5d45a7378841b7e43bc752837f003cb8b2d38df2d1d4a87ce0e67

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-47011.exe

Filesize
188KB

MD5
c577388dc85420d5dc5975f837ffa064

SHA1
019c55e75ae9dedb895e866805923accd4c00239

SHA256
b1c5380290c55a4a0dbf5bc0527f22d37b58c2c37671b1fd08ff6fd428b4cb13

SHA512
77f82e0f5308276844a54dec75735d5476eec0d4db1c47e921e08e8518247f682f9cd1a08d593703166f6def7c94dffd84499cede94fb35af9b967051391d978

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50837.exe

Filesize
188KB

MD5
a21af3e2ce4d33270d728e7f15daefce

SHA1
d41196762d5250b18d30b22c493e3173f99c2e36

SHA256
2ef7442348f478d7f701b526411f502e8d062c886528851782fc9944d49443a6

SHA512
95d10b0ecfb7b08aaf9ab31a747263f7fda61da05be7400190b849b053915ab3d427a076f9996fe8066d6b56830c421885b7928216330dd377cf849ec957ac70

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-50966.exe

Filesize
188KB

MD5
a1fad8f37948b589506189d9134aa299

SHA1
833efbdd78eaba1abe22c055305080b0052da2cd

SHA256
d1b4b615959e1d611a8ff03d2ad063a7574bfd9815495d55fb9c95a49a8bcca1

SHA512
474ac8cc5d8c6a2b22c72acff42e6692c349d128447a7dfb945ea19a3871309b4ccff12b76bdb6f60a17504967d0c2bd52ad6c4751678d4f80ea1643fb05bc79

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-58662.exe

Filesize
188KB

MD5
03663895a2da6fa9fc804f0a05406c14

SHA1
879fb013534e46fb97f7fb46edef242304e34da6

SHA256
36e497f0a88e819c595268ba0a19edda241270759a8d8b7fb663fd278f904e24

SHA512
1bc07a3c5076b9b9091c72145de94dfccdf97b823490b72025a5a37f423bcf35460565debf22d3b455fbf88238a02efa9d2b455cff2f11f70079b73be9280fa3

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-59975.exe

Filesize
188KB

MD5
6e0caa17ed13d9a12b1c8dce9952bb1e

SHA1
e1610e3198cb92a0b2f6b4e41c6b498811570b01

SHA256
3e24c210c8d79400f5041c818c6212b96774c2d140165c0b25d431a4b91dded6

SHA512
b10ae50cd429dd4ce94d90d6bfe75ebe4e878d246dae9d6a4724693db0cc96d406ea4d74a96d303ca4d339c01d350dd7be81a40f84604154e5ed0e4283e6f36d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-7686.exe

Filesize
188KB

MD5
64c1fe45551bb14ea3667b45ffada840

SHA1
0c3393333c8635ff86a81cc53e9295ef4d6cf852

SHA256
50f5112fe6207acfb1ebac54e0de91c9d6b8762746c817b18837a416212e61bf

SHA512
c3ceba64e951ee8d10e2b2e87ac7332b7495d47b3cea897da0bf229fee8dc85dab92c96dcbb76a2aa05c87cfe98129e77552dd06118ad590192cf59ffc72cc7f

Download Submit