fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
Size

468KB
MD5

203df534548365e7f92d56f5f26e1c10
SHA1

befb467506d52467dffe018dd5cb6999d70bad54
SHA256

fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509
SHA512

d7a2cb185209542a1dc69ac29c5457c39eeea7e4581a0ba1c5133834a53a1a807b5dda6cd0ddc53f456f61ac3be1c930930ae908db4fbd8cefc378a3acac8cb8
SSDEEP

3072:3FfnogKxjtTU2bY+Bz3yqf8/ECUjyIplPmfC5VuICJC+r3EjtTl/:3Ffot1U2dBDyqf00/jCJFjEjt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
808	Unicorn-48227.exe
2564	Unicorn-44226.exe
2112	Unicorn-5694.exe
1696	Unicorn-9306.exe
2628	Unicorn-5777.exe
2740	Unicorn-25643.exe
2536	Unicorn-6374.exe
2556	Unicorn-35709.exe
2656	Unicorn-33593.exe
568	Unicorn-56706.exe
2244	Unicorn-11034.exe
1972	Unicorn-20812.exe
2544	Unicorn-29726.exe
2072	Unicorn-7189.exe
2336	Unicorn-62420.exe
2320	Unicorn-4859.exe
536	Unicorn-58699.exe
1372	Unicorn-64942.exe
1224	Unicorn-7827.exe
668	Unicorn-1050.exe
2996	Unicorn-11356.exe
760	Unicorn-65196.exe
1544	Unicorn-3551.exe
1580	Unicorn-23417.exe
2776	Unicorn-40499.exe
2076	Unicorn-60365.exe
2200	Unicorn-50059.exe
2328	Unicorn-30193.exe
2588	Unicorn-65217.exe
2528	Unicorn-30961.exe
2756	Unicorn-10370.exe
2068	Unicorn-49265.exe
1784	Unicorn-50012.exe
1400	Unicorn-16593.exe
1448	Unicorn-53157.exe
2272	Unicorn-33291.exe
1908	Unicorn-15009.exe
2916	Unicorn-38959.exe
2356	Unicorn-33313.exe
1608	Unicorn-33867.exe
1288	Unicorn-14838.exe
1696	Unicorn-35451.exe
880	Unicorn-4724.exe
1988	Unicorn-1195.exe
2164	Unicorn-47703.exe
2400	Unicorn-65300.exe
1212	Unicorn-39788.exe
2064	Unicorn-59654.exe
2752	Unicorn-4423.exe
2416	Unicorn-12399.exe
2216	Unicorn-45819.exe
1668	Unicorn-31450.exe
1792	Unicorn-63930.exe
1632	Unicorn-44065.exe
2696	Unicorn-41564.exe
2820	Unicorn-53816.exe
320	Unicorn-61984.exe
1316	Unicorn-1662.exe
2420	Unicorn-17998.exe
2352	Unicorn-37864.exe
2308	Unicorn-3053.exe
2900	Unicorn-42694.exe
1648	Unicorn-28112.exe
1208	Unicorn-9083.exe

Loads dropped DLL 64 IoCs

pid	Process
2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
808	Unicorn-48227.exe
808	Unicorn-48227.exe
2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
2564	Unicorn-44226.exe
2564	Unicorn-44226.exe
808	Unicorn-48227.exe
2112	Unicorn-5694.exe
808	Unicorn-48227.exe
2112	Unicorn-5694.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
1696	Unicorn-9306.exe
1696	Unicorn-9306.exe
2564	Unicorn-44226.exe
2564	Unicorn-44226.exe
2628	Unicorn-5777.exe
2112	Unicorn-5694.exe
2628	Unicorn-5777.exe
2112	Unicorn-5694.exe
2740	Unicorn-25643.exe
2740	Unicorn-25643.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
2536	Unicorn-6374.exe
2536	Unicorn-6374.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
1696	Unicorn-9306.exe
1696	Unicorn-9306.exe
2424	WerFault.exe
2556	Unicorn-35709.exe
2556	Unicorn-35709.exe
568	Unicorn-56706.exe
568	Unicorn-56706.exe
2656	Unicorn-33593.exe
2656	Unicorn-33593.exe
2628	Unicorn-5777.exe
2628	Unicorn-5777.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1972	Unicorn-20812.exe
1972	Unicorn-20812.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2260	2964	WerFault.exe	27
2684	808	WerFault.exe	28
1992	2564	WerFault.exe	29
2424	2112	WerFault.exe	30
1516	1696	WerFault.exe	32
1664	2628	WerFault.exe	33
1304	2740	WerFault.exe	34
2744	2536	WerFault.exe	36
648	2556	WerFault.exe	37
1916	568	WerFault.exe	39
2040	2244	WerFault.exe	40
1060	2656	WerFault.exe	38
2396	1972	WerFault.exe	42
1636	2544	WerFault.exe	44
3036	2072	WerFault.exe	45
2856	2336	WerFault.exe	46
2496	536	WerFault.exe	48
2132	2320	WerFault.exe	47
2700	1372	WerFault.exe	52
948	1224	WerFault.exe	55
1624	668	WerFault.exe	56
2600	760	WerFault.exe	58
1904	2776	WerFault.exe	61
2092	1580	WerFault.exe	60
1968	1908	WerFault.exe	78
1656	2272	WerFault.exe	77
3068	1288	WerFault.exe	82
1944	1448	WerFault.exe	76
1616	1608	WerFault.exe	81
1552	880	WerFault.exe	84
2088	2996	WerFault.exe	57
316	2164	WerFault.exe	86
2464	1696	WerFault.exe	83
2124	1544	WerFault.exe	59
2608	2076	WerFault.exe	62
1692	2756	WerFault.exe	68
3092	2200	WerFault.exe	63
3100	2328	WerFault.exe	64
3252	2696	WerFault.exe	102
3276	1400	WerFault.exe	73
3296	2528	WerFault.exe	67
3384	2752	WerFault.exe	93
3404	2400	WerFault.exe	88
3488	2588	WerFault.exe	66
3504	1212	WerFault.exe	90
3584	2064	WerFault.exe	91
3736	1784	WerFault.exe	71
3840	1668	WerFault.exe	99
3948	2068	WerFault.exe	69
3964	2916	WerFault.exe	79
4048	1208	WerFault.exe	111
3180	320	WerFault.exe	104
3244	2356	WerFault.exe	80
3260	2000	WerFault.exe	132
3312	2708	WerFault.exe	134
3356	1648	WerFault.exe	110
3484	1792	WerFault.exe	100
3536	1988	WerFault.exe	85
3564	2516	WerFault.exe	112
3576	2900	WerFault.exe	109
3628	2216	WerFault.exe	98
3344	2820	WerFault.exe	103
3928	2416	WerFault.exe	95
4044	1516	WerFault.exe	136

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56706.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4314.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29800.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19852.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14304.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41943.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35451.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3053.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19629.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7563.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37864.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24044.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
808	Unicorn-48227.exe
2564	Unicorn-44226.exe
2112	Unicorn-5694.exe
1696	Unicorn-9306.exe
2740	Unicorn-25643.exe
2628	Unicorn-5777.exe
2536	Unicorn-6374.exe
2556	Unicorn-35709.exe
568	Unicorn-56706.exe
2244	Unicorn-11034.exe
2656	Unicorn-33593.exe
1972	Unicorn-20812.exe
2544	Unicorn-29726.exe
2072	Unicorn-7189.exe
2336	Unicorn-62420.exe
536	Unicorn-58699.exe
2320	Unicorn-4859.exe
1372	Unicorn-64942.exe
1224	Unicorn-7827.exe
668	Unicorn-1050.exe
2996	Unicorn-11356.exe
1580	Unicorn-23417.exe
760	Unicorn-65196.exe
1544	Unicorn-3551.exe
2200	Unicorn-50059.exe
2076	Unicorn-60365.exe
2328	Unicorn-30193.exe
2776	Unicorn-40499.exe
2588	Unicorn-65217.exe
2528	Unicorn-30961.exe
2756	Unicorn-10370.exe
1784	Unicorn-50012.exe
2068	Unicorn-49265.exe
1400	Unicorn-16593.exe
1448	Unicorn-53157.exe
1908	Unicorn-15009.exe
2272	Unicorn-33291.exe
2916	Unicorn-38959.exe
2356	Unicorn-33313.exe
1608	Unicorn-33867.exe
1288	Unicorn-14838.exe
1696	Unicorn-35451.exe
880	Unicorn-4724.exe
2164	Unicorn-47703.exe
1988	Unicorn-1195.exe
2400	Unicorn-65300.exe
1212	Unicorn-39788.exe
2064	Unicorn-59654.exe
2752	Unicorn-4423.exe
2416	Unicorn-12399.exe
2216	Unicorn-45819.exe
1668	Unicorn-31450.exe
2820	Unicorn-53816.exe
2696	Unicorn-41564.exe
1792	Unicorn-63930.exe
1632	Unicorn-44065.exe
320	Unicorn-61984.exe
2900	Unicorn-42694.exe
1316	Unicorn-1662.exe
2308	Unicorn-3053.exe
1648	Unicorn-28112.exe
1208	Unicorn-9083.exe
2352	Unicorn-37864.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 808	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	28
PID 2964 wrote to memory of 808	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	28
PID 2964 wrote to memory of 808	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	28
PID 2964 wrote to memory of 808	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	28
PID 808 wrote to memory of 2564	808	Unicorn-48227.exe	29
PID 808 wrote to memory of 2564	808	Unicorn-48227.exe	29
PID 808 wrote to memory of 2564	808	Unicorn-48227.exe	29
PID 808 wrote to memory of 2564	808	Unicorn-48227.exe	29
PID 2964 wrote to memory of 2112	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	30
PID 2964 wrote to memory of 2112	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	30
PID 2964 wrote to memory of 2112	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	30
PID 2964 wrote to memory of 2112	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	30
PID 2964 wrote to memory of 2260	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	31
PID 2964 wrote to memory of 2260	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	31
PID 2964 wrote to memory of 2260	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	31
PID 2964 wrote to memory of 2260	2964	fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe	31
PID 2564 wrote to memory of 1696	2564	Unicorn-44226.exe	32
PID 2564 wrote to memory of 1696	2564	Unicorn-44226.exe	32
PID 2564 wrote to memory of 1696	2564	Unicorn-44226.exe	32
PID 2564 wrote to memory of 1696	2564	Unicorn-44226.exe	32
PID 808 wrote to memory of 2628	808	Unicorn-48227.exe	33
PID 808 wrote to memory of 2628	808	Unicorn-48227.exe	33
PID 808 wrote to memory of 2628	808	Unicorn-48227.exe	33
PID 808 wrote to memory of 2628	808	Unicorn-48227.exe	33
PID 2112 wrote to memory of 2740	2112	Unicorn-5694.exe	34
PID 2112 wrote to memory of 2740	2112	Unicorn-5694.exe	34
PID 2112 wrote to memory of 2740	2112	Unicorn-5694.exe	34
PID 2112 wrote to memory of 2740	2112	Unicorn-5694.exe	34
PID 808 wrote to memory of 2684	808	Unicorn-48227.exe	35
PID 808 wrote to memory of 2684	808	Unicorn-48227.exe	35
PID 808 wrote to memory of 2684	808	Unicorn-48227.exe	35
PID 808 wrote to memory of 2684	808	Unicorn-48227.exe	35
PID 1696 wrote to memory of 2536	1696	Unicorn-9306.exe	36
PID 1696 wrote to memory of 2536	1696	Unicorn-9306.exe	36
PID 1696 wrote to memory of 2536	1696	Unicorn-9306.exe	36
PID 1696 wrote to memory of 2536	1696	Unicorn-9306.exe	36
PID 2564 wrote to memory of 2556	2564	Unicorn-44226.exe	37
PID 2564 wrote to memory of 2556	2564	Unicorn-44226.exe	37
PID 2564 wrote to memory of 2556	2564	Unicorn-44226.exe	37
PID 2564 wrote to memory of 2556	2564	Unicorn-44226.exe	37
PID 2628 wrote to memory of 2656	2628	Unicorn-5777.exe	38
PID 2628 wrote to memory of 2656	2628	Unicorn-5777.exe	38
PID 2628 wrote to memory of 2656	2628	Unicorn-5777.exe	38
PID 2628 wrote to memory of 2656	2628	Unicorn-5777.exe	38
PID 2112 wrote to memory of 568	2112	Unicorn-5694.exe	39
PID 2112 wrote to memory of 568	2112	Unicorn-5694.exe	39
PID 2112 wrote to memory of 568	2112	Unicorn-5694.exe	39
PID 2112 wrote to memory of 568	2112	Unicorn-5694.exe	39
PID 2740 wrote to memory of 2244	2740	Unicorn-25643.exe	40
PID 2740 wrote to memory of 2244	2740	Unicorn-25643.exe	40
PID 2740 wrote to memory of 2244	2740	Unicorn-25643.exe	40
PID 2740 wrote to memory of 2244	2740	Unicorn-25643.exe	40
PID 2564 wrote to memory of 1992	2564	Unicorn-44226.exe	41
PID 2564 wrote to memory of 1992	2564	Unicorn-44226.exe	41
PID 2564 wrote to memory of 1992	2564	Unicorn-44226.exe	41
PID 2564 wrote to memory of 1992	2564	Unicorn-44226.exe	41
PID 2536 wrote to memory of 1972	2536	Unicorn-6374.exe	42
PID 2536 wrote to memory of 1972	2536	Unicorn-6374.exe	42
PID 2536 wrote to memory of 1972	2536	Unicorn-6374.exe	42
PID 2536 wrote to memory of 1972	2536	Unicorn-6374.exe	42
PID 2112 wrote to memory of 2424	2112	Unicorn-5694.exe	43
PID 2112 wrote to memory of 2424	2112	Unicorn-5694.exe	43
PID 2112 wrote to memory of 2424	2112	Unicorn-5694.exe	43
PID 2112 wrote to memory of 2424	2112	Unicorn-5694.exe	43

C:\Users\Admin\AppData\Local\Temp\fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe
"C:\Users\Admin\AppData\Local\Temp\fc830e63bb1c4c250f2421c5e81a25b766cde1a3a7400b334aa6cfab62cfe509N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\Unicorn-48227.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-48227.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-44226.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-44226.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9306.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9306.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6374.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6374.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20812.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20812.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64942.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64942.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65217.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65217.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65300.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65300.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33095.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33095.exe
        10⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29499.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14693.exe
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 216
        12⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 236
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 236
        10⤵
        Program crash
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62814.exe
        9⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42327.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42327.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1180.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 236
        11⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 216
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 240
        9⤵
        Program crash
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39788.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62259.exe
        9⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50303.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15955.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15955.exe
        11⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 216
        11⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 216
        10⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 236
        9⤵
        Program crash
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 240
        8⤵
        Program crash
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30961.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30961.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59654.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37179.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37179.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1102.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1102.exe
        10⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46681.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46681.exe
        11⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 236
        11⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 236
        10⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 236
        9⤵
        Program crash
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50562.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50562.exe
        8⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41943.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41943.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 216
        10⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 216
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 240
        8⤵
        Program crash
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 240
        7⤵
        Program crash
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7827.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10370.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10370.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52638.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52638.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-526.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5757.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5757.exe
        10⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 216
        10⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 216
        9⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 236
        8⤵
        Program crash
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 236
        7⤵
        Program crash
        
        PID:948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 240
        6⤵
        Program crash
        
        PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29726.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29726.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1050.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1050.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49265.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12399.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12399.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19629.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50386.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50386.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54242.exe
        12⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 220
        12⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 216
        11⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 236
        10⤵
        Program crash
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4314.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4314.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24668.exe
        10⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7929.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 236
        11⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 216
        10⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 220
        9⤵
        Program crash
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34381.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34381.exe
        8⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19852.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14304.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14304.exe
        10⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 216
        10⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 216
        9⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 240
        8⤵
        Program crash
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45819.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45819.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28404.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28404.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14304.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14304.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 216
        10⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 216
        9⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 236
        8⤵
        Program crash
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 240
        7⤵
        Program crash
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50012.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50012.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4423.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4423.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39509.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39509.exe
        8⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52057.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52057.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18778.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18778.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 216
        10⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 216
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 236
        8⤵
        Program crash
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44340.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18207.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18207.exe
        8⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63401.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63401.exe
        9⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 236
        9⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 236
        8⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 240
        7⤵
        Program crash
        
        PID:3736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 240
        6⤵
        Program crash
        
        PID:1636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35709.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35709.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7189.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7189.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11356.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11356.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16593.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16593.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41564.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10920.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10920.exe
        9⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39805.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39805.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56904.exe
        11⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 216
        11⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 236
        10⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 236
        9⤵
        Program crash
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28543.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28543.exe
        8⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33775.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33775.exe
        9⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49120.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 216
        10⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 216
        9⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 220
        8⤵
        Program crash
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1662.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29800.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29800.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39608.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39608.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 236
        9⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 236
        8⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 240
        7⤵
        Program crash
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33291.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33291.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50910.exe
        7⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        8⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27828.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27828.exe
        9⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7563.exe
        10⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 220
        10⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 216
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 216
        8⤵
        Program crash
        
        PID:3312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 236
        7⤵
        Program crash
        
        PID:1656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 240
        6⤵
        Program crash
        
        PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65196.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38959.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9083.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9083.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37911.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37911.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5653.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33739.exe
        10⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 216
        10⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 236
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 236
        8⤵
        Program crash
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33011.exe
        7⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46494.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46494.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57283.exe
        9⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 216
        9⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 236
        8⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 240
        7⤵
        Program crash
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5554.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5554.exe
        6⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        7⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50962.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50962.exe
        8⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59997.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 216
        9⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 216
        8⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 236
        7⤵
        Program crash
        
        PID:3564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 240
        6⤵
        Program crash
        
        PID:2600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 240
        5⤵
        Program crash
        
        PID:648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-5777.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-5777.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33593.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33593.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4859.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50059.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33313.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33313.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61984.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61984.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19821.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19821.exe
        9⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5461.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5461.exe
        10⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7563.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 220
        11⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 236
        10⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 236
        9⤵
        Program crash
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20375.exe
        8⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15575.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15575.exe
        9⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15264.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15264.exe
        10⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 216
        10⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 216
        9⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 240
        8⤵
        Program crash
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17998.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61787.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34730.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34730.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 216
        9⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 216
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 240
        7⤵
        Program crash
        
        PID:3092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33867.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33867.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6945.exe
        7⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-827.exe
        8⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55513.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55513.exe
        9⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 216
        9⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 236
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 236
        7⤵
        Program crash
        
        PID:1616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 240
        6⤵
        Program crash
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30193.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30193.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47703.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47703.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60230.exe
        7⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43121.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43121.exe
        8⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14828.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14828.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64027.exe
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 236
        9⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 236
        8⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 216
        7⤵
        Program crash
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19944.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19944.exe
        6⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57703.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57703.exe
        7⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46598.exe
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 216
        8⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 236
        7⤵
        
        PID:4168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 240
        6⤵
        Program crash
        
        PID:3100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 240
        5⤵
        Program crash
        
        PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58699.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58699.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:536
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60365.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4724.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37672.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37672.exe
        7⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4911.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4911.exe
        8⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9758.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9758.exe
        9⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 216
        9⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 216
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 236
        7⤵
        Program crash
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46587.exe
        6⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-526.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-526.exe
        7⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47428.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47428.exe
        8⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 216
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 236
        7⤵
        
        PID:4112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 240
        6⤵
        Program crash
        
        PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1195.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1195.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63930.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63930.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57153.exe
        7⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3899.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3899.exe
        8⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10220.exe
        9⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 216
        9⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 216
        8⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 236
        7⤵
        Program crash
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37287.exe
        6⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24044.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24044.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49917.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49917.exe
        8⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 216
        8⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 216
        7⤵
        
        PID:4864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 240
        6⤵
        Program crash
        
        PID:3536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 240
        5⤵
        Program crash
        
        PID:2496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 220
      4⤵
      Program crash
      PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\Unicorn-5694.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-5694.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25643.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25643.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11034.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11034.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3551.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3551.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14838.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14838.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31450.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31450.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19629.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18015.exe
        9⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25083.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25083.exe
        10⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 236
        10⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 216
        9⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 236
        8⤵
        Program crash
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65108.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65108.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26510.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26510.exe
        8⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43801.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43801.exe
        9⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26311.exe
        10⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 236
        9⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 236
        8⤵
        Program crash
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 240
        7⤵
        Program crash
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44065.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31253.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31253.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60988.exe
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 216
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 216
        7⤵
        
        PID:3904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 240
        6⤵
        Program crash
        
        PID:2124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 216
        5⤵
        Program crash
        
        PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 236
      4⤵
      Program crash
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-56706.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-56706.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62420.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62420.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23417.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53157.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3053.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3053.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26894.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26894.exe
        8⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36209.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36209.exe
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 216
        9⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 216
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 236
        7⤵
        Program crash
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28112.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28112.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27688.exe
        7⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40272.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40272.exe
        8⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2576.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2576.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 236
        9⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 216
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 216
        7⤵
        Program crash
        
        PID:3356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 240
        6⤵
        Program crash
        
        PID:2092
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15009.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15009.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53816.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53816.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52960.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52960.exe
        7⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16308.exe
        8⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11738.exe
        9⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 236
        9⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 216
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 236
        7⤵
        Program crash
        
        PID:3344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 236
        6⤵
        Program crash
        
        PID:1968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 240
        5⤵
        Program crash
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40499.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40499.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35451.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35451.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37864.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37864.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51289.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51289.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56328.exe
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 216
        8⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 236
        7⤵
        
        PID:3156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 216
        6⤵
        Program crash
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42694.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42694.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65321.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12067.exe
        7⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18389.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18389.exe
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 216
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 216
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 236
        6⤵
        Program crash
        
        PID:3576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 220
        5⤵
        Program crash
        
        PID:1904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 240
      4⤵
      Program crash
      PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 240
  2⤵
  - Program crash
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-20812.exe

Filesize
468KB

MD5
6f29033e1cdb7e47545adbd13d16b839

SHA1
836505905d948424949cca8272949ecaf74ef9c0

SHA256
3ed87527113567d03636a1267c371d022ef6969c9ca8674e55aeefe0bda373c3

SHA512
d07c477067ca1aca95b8d2b0b1a7dbbc657731f7b5979b14a19d75258e02fb817719059c86e9f54de95b808c9166b0399428959856a022a92925f0405267dace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-25643.exe

Filesize
468KB

MD5
13a58a37a3dfbd2eaf547f8c1a1f21c1

SHA1
ee7faf82639ba3e5eb3f7aaa189faf07c9372f35

SHA256
4a2fc5c0143af73f021aebf2ac6c318d00866949ec330962987895385375ec85

SHA512
8da510a4255f2c717d58cf7231a4be9019789a5cf332cd19f4bac585db34345f174f6e78f60d1410ee7bbe373427694a6c5021870798b162b7fc3e0716f9b0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39788.exe

Filesize
468KB

MD5
ab4d52d932c0598e9fc911bccf19266a

SHA1
99ed5690d229897dfcf5ef1949ad0531f2c9c875

SHA256
0057f476deb1e4b64e2170478c8d756d7302899e20867be96b6a54c05ee32728

SHA512
8f7d71ed5c5fbbdc555a1329a5cca12cd3521a87f1ebd472c2a06f657ede2c45dbf54a8abdc90daaddd08289bebc585175b7b133c6f6f92574b8d2ab99fe5928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-44226.exe

Filesize
468KB

MD5
0bc182faf0f20acfda77d60eb68c855a

SHA1
126d719471078d01f0dd8884bd266c7c71016225

SHA256
f6d674d0b487cc7f46664c200086702c3c334728111d1ae570263a670c157357

SHA512
6562e02d347146522f1d5161ee2db58d4ec2fc02de6dddb63eccd3c2bfa0b3569665b91b5020848d9f5ce4aa5a14c319b51d3073a682045d86f98227fa73d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-56706.exe

Filesize
468KB

MD5
c20ed61de2180e536d35a65afb7871cc

SHA1
436030234cc37a641ff2a503ac5db04bb83bbc7a

SHA256
e55f6944c69607fb8cc81c4d72584afe535adbb7fe06e3dfeea3e9f1957b95f8

SHA512
f76eed165c981027f3d2b659864aa6db58c101b3c570e984956ee19264fb44dac265e3e7d14f1cdc5004a1c90c80ee53b14e2d3e119dcd2dda564e25e9fc39e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-9306.exe

Filesize
468KB

MD5
2bbdc0548ee405e2eeaa9ade1c6e6421

SHA1
2ca8d1babbfa9fdfd6b90f17093cc7a4f3a1582c

SHA256
120f54e9885fbd1aff9f5313f734ebf165da9cfaa07adacde7474795c2d3dd55

SHA512
4f5ff7698314c884b2333ba3244a54df8c1b167f1f528ce21766ead0269ae7f325479879743ffab4601d6865a459da54f365d1330d43128ea3470fa9898388c4

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11034.exe

Filesize
468KB

MD5
7e5c9d4b8950e37e57cce5beaf31d72a

SHA1
db2b16babfbb727346e14f8a2ae047902090eab1

SHA256
ef0535a237f694edb4af8180ff0ef515fc075e98369026342be0026cabf6efc1

SHA512
ab37012c9e4eeaf2c83b161830e50358ad662ed31c2fcea962e0a2f8c4fe203c9edd640b60e14e99642bd82d4574768903a378f329dbbb873dcf6a8eaeb64b0a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29726.exe

Filesize
468KB

MD5
c19fd993d2158fdf4f4eda2cc6fb33b3

SHA1
81fa695c4e62004c9979523667d7bcd4d5a27155

SHA256
f6eb252fa6c1c9a437fa83c457ec2b11f09d0b7042ba4401268b9e773956970d

SHA512
42f60fbd6d2d516b3e7bcbec4fce6417461da555597057e59af4a2781671c502db0991e7d902e01c3f52f3d7f80749ba5e82f6ab0e33a4f54330bdedab60f754

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-33593.exe

Filesize
468KB

MD5
07fd084b8525cb272ce3408d1cff2b6d

SHA1
2dbce423f968ea36a74e97d08c76cac499a70339

SHA256
1494e8a252fee670d4374165820d4dc47fb1c4e4e4d1b6f1c7ec14754f847d7b

SHA512
10e47d12544329a09d7a2b5979c9a99a54c09dec763d87cb82dcfe88700bcad317d6a17034cedc4d9d6eca83175fdfbb89aff48e52aa230818f11e00d23effa3

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-35709.exe

Filesize
468KB

MD5
5caeef043713269dab5685510055ee85

SHA1
94bb7ada8c5f33e23aadf4e0c05572ca4c0bb3ab

SHA256
6e78ec372bfe253ba6398039bd7c8b72586817029fa897a7b8ba5d7055980e87

SHA512
ec1befeda69ab4f4062fdb9e1f5e1ef1e3390cc44d32050de6b970b7a2f4ca54220d3fbf95a58c3a1495ac08ccc9a6492ba98b7703250f9d3193ac89d0225f26

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-48227.exe

Filesize
468KB

MD5
b221848d7dae1b43026f6bb5217f5a48

SHA1
a687a32f8237197927167c7d6a53f9842d6a448a

SHA256
7a246d893af25b64e87bd4b5b045e9512a84af96603d7ac1335ced5265a72e4c

SHA512
976ba393d60c0a6212a8aa1ff8b578986de0d2ace1d571b4d92ae47c5ac1af23ae82b4d6e5071aa4e5f828f64d02f9450dad1d36c92a6979efa464fba369d81b

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5694.exe

Filesize
468KB

MD5
c07e13cacf7ca336c0640cc919d171e7

SHA1
fa87cd3470c6a88754b83962d74c03b89a10f898

SHA256
a51cf328cddbbc097975263bf21d25e98000492bcb85cdce3e8d660d6479b808

SHA512
d5dfe0dce5c04f89c20020f6668b4d11dd90be0d78f481d0bf5a15a4fb2124615005b6b054630c73b7c6939a060689e2cf1a9d06cf52f61f57125f6c293d932c

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5777.exe

Filesize
468KB

MD5
18934167c00cbf7a008f5a906b6e30aa

SHA1
023d471deeab7c588221c74b966358ada9663519

SHA256
bb27a39584f79949af15fc333c14c5f46413987b0ed96eeed0eb65a834994420

SHA512
0fdf9f72154ce7aae068e4a5db59ac9ae992557aca5e8c9dabb8f03b5f9a581f1d60142ff40facbcf14a112eeb7060086680d61935552f1c0351e03619dfcd66

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-6374.exe

Filesize
468KB

MD5
d83060ad231e94b6a81842d0bd946c5e

SHA1
7d58ca0e0b4e2b0c4bca054be1ce1a43a360a0b4

SHA256
c8da0a6a72895e146456add39c29f4e3536bd36079cbc38e8475eaaea0a02b4f

SHA512
66c885a1750886f4f7eabbc37b59b5c5d0ce1260e8b537952b5a279f0ba41d148a1a71e9eb46b1d02e982846593e664157570099a577b2bc13c3467e35b5246f

Download Submit
memory/536-219-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/536-303-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/536-302-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/568-297-0x00000000005F0000-0x0000000000665000-memory.dmp

Filesize
468KB

Download
memory/568-296-0x00000000005F0000-0x0000000000665000-memory.dmp

Filesize
468KB

Download
memory/568-200-0x00000000005F0000-0x0000000000665000-memory.dmp

Filesize
468KB

Download
memory/568-126-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/568-198-0x00000000005F0000-0x0000000000665000-memory.dmp

Filesize
468KB

Download
memory/668-248-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/668-363-0x00000000026F0000-0x0000000002765000-memory.dmp

Filesize
468KB

Download
memory/760-267-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/808-57-0x0000000000570000-0x00000000005E5000-memory.dmp

Filesize
468KB

Download
memory/808-347-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/808-24-0x0000000000570000-0x00000000005E5000-memory.dmp

Filesize
468KB

Download
memory/808-364-0x0000000000570000-0x00000000005E5000-memory.dmp

Filesize
468KB

Download
memory/808-405-0x0000000000570000-0x00000000005E5000-memory.dmp

Filesize
468KB

Download
memory/1224-242-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1224-355-0x0000000002570000-0x00000000025E5000-memory.dmp

Filesize
468KB

Download
memory/1224-356-0x0000000002570000-0x00000000025E5000-memory.dmp

Filesize
468KB

Download
memory/1372-231-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1372-334-0x00000000026F0000-0x0000000002765000-memory.dmp

Filesize
468KB

Download
memory/1372-336-0x00000000026F0000-0x0000000002765000-memory.dmp

Filesize
468KB

Download
memory/1400-387-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1448-401-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1544-281-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1580-393-0x0000000000490000-0x0000000000505000-memory.dmp

Filesize
468KB

Download
memory/1580-282-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1696-92-0x0000000001CD0000-0x0000000001D45000-memory.dmp

Filesize
468KB

Download
memory/1696-178-0x0000000001CD0000-0x0000000001D45000-memory.dmp

Filesize
468KB

Download
memory/1696-174-0x0000000001CD0000-0x0000000001D45000-memory.dmp

Filesize
468KB

Download
memory/1696-51-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1696-230-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1784-378-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1908-411-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1972-346-0x0000000002390000-0x0000000002405000-memory.dmp

Filesize
468KB

Download
memory/1972-343-0x0000000002390000-0x0000000002405000-memory.dmp

Filesize
468KB

Download
memory/1972-164-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1972-226-0x0000000002390000-0x0000000002405000-memory.dmp

Filesize
468KB

Download
memory/2068-366-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2072-394-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2072-257-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2072-256-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2072-189-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2076-304-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2112-412-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2112-382-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2200-319-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2244-137-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2244-279-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2272-402-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2320-209-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2320-313-0x0000000002570000-0x00000000025E5000-memory.dmp

Filesize
468KB

Download
memory/2320-312-0x0000000002570000-0x00000000025E5000-memory.dmp

Filesize
468KB

Download
memory/2328-320-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2336-278-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2336-280-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2336-410-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2336-201-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2356-434-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2528-345-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2536-95-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2536-163-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2536-162-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2544-373-0x00000000028F0000-0x0000000002965000-memory.dmp

Filesize
468KB

Download
memory/2544-179-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-188-0x0000000001D80000-0x0000000001DF5000-memory.dmp

Filesize
468KB

Download
memory/2556-187-0x0000000001D80000-0x0000000001DF5000-memory.dmp

Filesize
468KB

Download
memory/2556-105-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2556-266-0x0000000001D80000-0x0000000001DF5000-memory.dmp

Filesize
468KB

Download
memory/2564-27-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2564-43-0x0000000002630000-0x00000000026A5000-memory.dmp

Filesize
468KB

Download
memory/2564-365-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2564-104-0x0000000002630000-0x00000000026A5000-memory.dmp

Filesize
468KB

Download
memory/2588-337-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2628-65-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2628-115-0x0000000002480000-0x00000000024F5000-memory.dmp

Filesize
468KB

Download
memory/2628-413-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2628-217-0x0000000002480000-0x00000000024F5000-memory.dmp

Filesize
468KB

Download
memory/2628-218-0x0000000002480000-0x00000000024F5000-memory.dmp

Filesize
468KB

Download
memory/2656-210-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2656-314-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2656-318-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2656-208-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2740-136-0x0000000002560000-0x00000000025D5000-memory.dmp

Filesize
468KB

Download
memory/2740-433-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2740-71-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2756-357-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2776-298-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2916-422-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2964-11-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2964-30-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2964-232-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2964-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2964-5-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2996-258-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2996-386-0x00000000025E0000-0x0000000002655000-memory.dmp

Filesize
468KB

Download