16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe
Size

184KB
MD5

72e0f81ccd0d872d39086e59c30ff593
SHA1

9694ea3058811c554f9d58149de4a5867406e87e
SHA256

16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0
SHA512

11ad27877af78338d9d94ee85a35299e5b02ebfa26141f710bd45370fa1986e5d7924851e2ef53269036ad7b512a8626b178e62ee4be4af8536f355290887b45
SSDEEP

3072:ldDJH7oMDjrhNlDZWFXh8sxTd0vnqnxiuI:ldpo2flDo8gTd0Pqnxiu

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
4220	Unicorn-23909.exe
4804	Unicorn-54718.exe
5044	Unicorn-28630.exe
1928	Unicorn-6669.exe
3100	Unicorn-28713.exe
1268	Unicorn-61900.exe
632	Unicorn-36995.exe
1428	Unicorn-10836.exe
4312	Unicorn-38765.exe
4604	Unicorn-58631.exe
4064	Unicorn-21683.exe
4540	Unicorn-16530.exe
3728	Unicorn-37042.exe
1664	Unicorn-59243.exe
456	Unicorn-34489.exe
3768	Unicorn-33442.exe
1028	Unicorn-39917.exe
3952	Unicorn-50354.exe
4676	Unicorn-46270.exe
1384	Unicorn-26727.exe
1516	Unicorn-52300.exe
4308	Unicorn-29742.exe
1724	Unicorn-46581.exe
4456	Unicorn-11273.exe
2808	Unicorn-57052.exe
1020	Unicorn-34493.exe
4148	Unicorn-51485.exe
2724	Unicorn-19689.exe
756	Unicorn-14536.exe
4324	Unicorn-34293.exe
2536	Unicorn-41392.exe
1700	Unicorn-64505.exe
2008	Unicorn-29039.exe
3524	Unicorn-41200.exe
2600	Unicorn-18642.exe
1584	Unicorn-8013.exe
4192	Unicorn-25440.exe
3152	Unicorn-21910.exe
1616	Unicorn-8589.exe
60	Unicorn-28455.exe
4556	Unicorn-37500.exe
4224	Unicorn-37500.exe
2736	Unicorn-1620.exe
2004	Unicorn-35061.exe
4228	Unicorn-25824.exe
2932	Unicorn-25824.exe
456	Unicorn-48489.exe
1544	Unicorn-42467.exe
4092	Unicorn-18210.exe
4336	Unicorn-28574.exe
816	Unicorn-52366.exe
4924	Unicorn-11988.exe
4404	Unicorn-54967.exe
2532	Unicorn-2808.exe
876	Unicorn-65102.exe
4796	Unicorn-18917.exe
4512	Unicorn-45559.exe
4068	Unicorn-59435.exe
3404	Unicorn-21932.exe
4692	Unicorn-64396.exe
2920	Unicorn-29698.exe
3588	Unicorn-35829.exe
1736	Unicorn-9186.exe
628	Unicorn-30411.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3964	4548	WerFault.exe	82
4860	4220	WerFault.exe	90
724	4804	WerFault.exe	93
3476	5044	WerFault.exe	96
2116	1928	WerFault.exe	99
3308	3100	WerFault.exe	102
384	632	WerFault.exe	104
920	1268	WerFault.exe	103
4556	1428	WerFault.exe	111
956	4604	WerFault.exe	115
972	4312	WerFault.exe	114
4276	4064	WerFault.exe	116
3232	4540	WerFault.exe	117
3524	3768	WerFault.exe	132
4848	1028	WerFault.exe	135
116	3952	WerFault.exe	138
4796	4676	WerFault.exe	139
4228	456	WerFault.exe	120
4716	1384	WerFault.exe	144
1544	1516	WerFault.exe	145
2444	2808	WerFault.exe	152
3520	4324	WerFault.exe	169
3960	2536	WerFault.exe	172
4700	1700	WerFault.exe	173
3660	2008	WerFault.exe	174
3032	2600	WerFault.exe	182
4768	3524	WerFault.exe	181
2380	1584	WerFault.exe	183
532	4192	WerFault.exe	186
4936	2736	WerFault.exe	201
2656	4556	WerFault.exe	199
3000	2004	WerFault.exe	202
1912	4224	WerFault.exe	200
4520	876	WerFault.exe	221
2156	4796	WerFault.exe	228
4664	4512	WerFault.exe	229
3824	4068	WerFault.exe	232
5672	4464	WerFault.exe	245
5972	1084	WerFault.exe	250
6056	5204	WerFault.exe	270
6960	5960	WerFault.exe	323
5732	5708	WerFault.exe	318
6884	5520	WerFault.exe	282
7812	6100	WerFault.exe	347
7820	6608	WerFault.exe	422
8452	7844	WerFault.exe	466
9280	5804	WerFault.exe	389
11728	7704	WerFault.exe	462
12116	2308	WerFault.exe	486
7948	7016	WerFault.exe	409
9360	7688	WerFault.exe	508
13208	8040	WerFault.exe	470
13112	6924	WerFault.exe	502
14320	8576	WerFault.exe	530
14536	8176	WerFault.exe	476
14576	8048	WerFault.exe	471
15944	7412	WerFault.exe	450
3848	8128	WerFault.exe	474
16640	7296	Process not Found	482
4412	10812	Process not Found	688
7864	7204	Process not Found	511
5340	9684	Process not Found	615
736	13060	Process not Found	827
6496	9460	Process not Found	610

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24436.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50154.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48290.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63090.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33314.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55776.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2369.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61585.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4866.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60290.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48489.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44311.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15862.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30411.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6091.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61358.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56532.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14788.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18210.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50154.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{96B344E5-1E5C-44B7-8DC9-8E05244389EE}	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2156	Process not Found
Token: SeChangeNotifyPrivilege	2156	Process not Found
Token: 33	2156	Process not Found
Token: SeIncBasePriorityPrivilege	2156	Process not Found
Token: SeCreateGlobalPrivilege	9436	Process not Found
Token: SeChangeNotifyPrivilege	9436	Process not Found
Token: 33	9436	Process not Found
Token: SeIncBasePriorityPrivilege	9436	Process not Found
Token: SeShutdownPrivilege	17036	Process not Found
Token: SeCreatePagefilePrivilege	17036	Process not Found
Token: SeShutdownPrivilege	17036	Process not Found
Token: SeCreatePagefilePrivilege	17036	Process not Found
Token: SeCreateGlobalPrivilege	18052	Process not Found
Token: SeChangeNotifyPrivilege	18052	Process not Found
Token: 33	18052	Process not Found
Token: SeIncBasePriorityPrivilege	18052	Process not Found

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe
4220	Unicorn-23909.exe
4804	Unicorn-54718.exe
5044	Unicorn-28630.exe
1928	Unicorn-6669.exe
3100	Unicorn-28713.exe
1268	Unicorn-61900.exe
632	Unicorn-36995.exe
1428	Unicorn-10836.exe
4604	Unicorn-58631.exe
4312	Unicorn-38765.exe
4064	Unicorn-21683.exe
4540	Unicorn-16530.exe
3728	Unicorn-37042.exe
1664	Unicorn-59243.exe
456	Unicorn-34489.exe
3768	Unicorn-33442.exe
1028	Unicorn-39917.exe
3952	Unicorn-50354.exe
4676	Unicorn-46270.exe
1384	Unicorn-26727.exe
1516	Unicorn-52300.exe
4308	Unicorn-29742.exe
1724	Unicorn-46581.exe
4456	Unicorn-11273.exe
2808	Unicorn-57052.exe
4148	Unicorn-51485.exe
1020	Unicorn-34493.exe
756	Unicorn-14536.exe
2724	Unicorn-19689.exe
4324	Unicorn-34293.exe
2536	Unicorn-41392.exe
1700	Unicorn-64505.exe
2008	Unicorn-29039.exe
3524	Unicorn-41200.exe
2600	Unicorn-18642.exe
1584	Unicorn-8013.exe
4192	Unicorn-25440.exe
3152	Unicorn-21910.exe
60	Unicorn-28455.exe
1616	Unicorn-8589.exe
2736	Unicorn-1620.exe
4556	Unicorn-37500.exe
4224	Unicorn-37500.exe
2004	Unicorn-35061.exe
456	Unicorn-48489.exe
4228	Unicorn-25824.exe
1544	Unicorn-42467.exe
2932	Unicorn-25824.exe
4092	Unicorn-18210.exe
4336	Unicorn-28574.exe
816	Unicorn-52366.exe
4404	Unicorn-54967.exe
4924	Unicorn-11988.exe
2532	Unicorn-2808.exe
876	Unicorn-65102.exe
4796	Unicorn-18917.exe
4512	Unicorn-45559.exe
4068	Unicorn-59435.exe
3404	Unicorn-21932.exe
1736	Unicorn-9186.exe
4692	Unicorn-64396.exe
3588	Unicorn-35829.exe
2920	Unicorn-29698.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4220	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	90
PID 4548 wrote to memory of 4220	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	90
PID 4548 wrote to memory of 4220	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	90
PID 4220 wrote to memory of 4804	4220	Unicorn-23909.exe	93
PID 4220 wrote to memory of 4804	4220	Unicorn-23909.exe	93
PID 4220 wrote to memory of 4804	4220	Unicorn-23909.exe	93
PID 4548 wrote to memory of 5044	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	96
PID 4548 wrote to memory of 5044	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	96
PID 4548 wrote to memory of 5044	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	96
PID 4804 wrote to memory of 1928	4804	Unicorn-54718.exe	99
PID 4804 wrote to memory of 1928	4804	Unicorn-54718.exe	99
PID 4804 wrote to memory of 1928	4804	Unicorn-54718.exe	99
PID 4220 wrote to memory of 3100	4220	Unicorn-23909.exe	102
PID 4220 wrote to memory of 3100	4220	Unicorn-23909.exe	102
PID 4220 wrote to memory of 3100	4220	Unicorn-23909.exe	102
PID 5044 wrote to memory of 1268	5044	Unicorn-28630.exe	103
PID 5044 wrote to memory of 1268	5044	Unicorn-28630.exe	103
PID 5044 wrote to memory of 1268	5044	Unicorn-28630.exe	103
PID 4548 wrote to memory of 632	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	104
PID 4548 wrote to memory of 632	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	104
PID 4548 wrote to memory of 632	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	104
PID 1928 wrote to memory of 1428	1928	Unicorn-6669.exe	111
PID 1928 wrote to memory of 1428	1928	Unicorn-6669.exe	111
PID 1928 wrote to memory of 1428	1928	Unicorn-6669.exe	111
PID 4804 wrote to memory of 4312	4804	Unicorn-54718.exe	114
PID 4804 wrote to memory of 4312	4804	Unicorn-54718.exe	114
PID 4804 wrote to memory of 4312	4804	Unicorn-54718.exe	114
PID 3100 wrote to memory of 4604	3100	Unicorn-28713.exe	115
PID 3100 wrote to memory of 4604	3100	Unicorn-28713.exe	115
PID 3100 wrote to memory of 4604	3100	Unicorn-28713.exe	115
PID 1268 wrote to memory of 4064	1268	Unicorn-61900.exe	116
PID 1268 wrote to memory of 4064	1268	Unicorn-61900.exe	116
PID 1268 wrote to memory of 4064	1268	Unicorn-61900.exe	116
PID 632 wrote to memory of 4540	632	Unicorn-36995.exe	117
PID 632 wrote to memory of 4540	632	Unicorn-36995.exe	117
PID 632 wrote to memory of 4540	632	Unicorn-36995.exe	117
PID 4220 wrote to memory of 3728	4220	Unicorn-23909.exe	118
PID 4220 wrote to memory of 3728	4220	Unicorn-23909.exe	118
PID 4220 wrote to memory of 3728	4220	Unicorn-23909.exe	118
PID 4548 wrote to memory of 1664	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	119
PID 4548 wrote to memory of 1664	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	119
PID 4548 wrote to memory of 1664	4548	16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe	119
PID 5044 wrote to memory of 456	5044	Unicorn-28630.exe	120
PID 5044 wrote to memory of 456	5044	Unicorn-28630.exe	120
PID 5044 wrote to memory of 456	5044	Unicorn-28630.exe	120
PID 1428 wrote to memory of 3768	1428	Unicorn-10836.exe	132
PID 1428 wrote to memory of 3768	1428	Unicorn-10836.exe	132
PID 1428 wrote to memory of 3768	1428	Unicorn-10836.exe	132
PID 1928 wrote to memory of 1028	1928	Unicorn-6669.exe	135
PID 1928 wrote to memory of 1028	1928	Unicorn-6669.exe	135
PID 1928 wrote to memory of 1028	1928	Unicorn-6669.exe	135
PID 4604 wrote to memory of 3952	4604	Unicorn-58631.exe	138
PID 4604 wrote to memory of 3952	4604	Unicorn-58631.exe	138
PID 4604 wrote to memory of 3952	4604	Unicorn-58631.exe	138
PID 4312 wrote to memory of 4676	4312	Unicorn-38765.exe	139
PID 4312 wrote to memory of 4676	4312	Unicorn-38765.exe	139
PID 4312 wrote to memory of 4676	4312	Unicorn-38765.exe	139
PID 4064 wrote to memory of 1384	4064	Unicorn-21683.exe	144
PID 4064 wrote to memory of 1384	4064	Unicorn-21683.exe	144
PID 4064 wrote to memory of 1384	4064	Unicorn-21683.exe	144
PID 3728 wrote to memory of 1516	3728	Unicorn-37042.exe	145
PID 3728 wrote to memory of 1516	3728	Unicorn-37042.exe	145
PID 3728 wrote to memory of 1516	3728	Unicorn-37042.exe	145
PID 1664 wrote to memory of 4308	1664	Unicorn-59243.exe	146

C:\Users\Admin\AppData\Local\Temp\16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe
"C:\Users\Admin\AppData\Local\Temp\16c7eded7c1a9ef1f5a07e878e63eede2c789fb049271e4f7d30dfda62bf3fd0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 488
  2⤵
  - Program crash
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\Unicorn-23909.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-23909.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 484
    3⤵
    - Program crash
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54718.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54718.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 496
      4⤵
      Program crash
      PID:724
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6669.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6669.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 464
        5⤵
        Program crash
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10836.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10836.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 488
        6⤵
        Program crash
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33442.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 488
        7⤵
        Program crash
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34293.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34293.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 492
        8⤵
        Program crash
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65102.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65102.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 484
        9⤵
        Program crash
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28764.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28764.exe
        9⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        10⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 484
        11⤵
        Program crash
        
        PID:13112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40051.exe
        11⤵
        
        PID:14356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11078.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11078.exe
        11⤵
        
        PID:15568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58426.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58426.exe
        10⤵
        
        PID:12280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42691.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42691.exe
        10⤵
        
        PID:15612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        9⤵
        
        PID:8636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        9⤵
        
        PID:12400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10050.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10050.exe
        8⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4804.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4804.exe
        9⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
        9⤵
        
        PID:14028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11492.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11492.exe
        9⤵
        
        PID:15680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        8⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        8⤵
        
        PID:15884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64985.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64985.exe
        8⤵
        
        PID:13424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59435.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59435.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 484
        8⤵
        Program crash
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26626.exe
        8⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55136.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55136.exe
        9⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52666.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52666.exe
        9⤵
        
        PID:13368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14274.exe
        8⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        8⤵
        
        PID:12380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        8⤵
        
        PID:14572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4242.exe
        7⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3268.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3268.exe
        8⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31181.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31181.exe
        8⤵
        
        PID:13012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40929.exe
        8⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47243.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47243.exe
        7⤵
        
        PID:9304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7737.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7737.exe
        7⤵
        
        PID:12928
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64505.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 488
        7⤵
        Program crash
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45559.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45559.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 484
        8⤵
        Program crash
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        8⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        9⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        9⤵
        
        PID:14732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25811.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25811.exe
        8⤵
        
        PID:12220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36875.exe
        8⤵
        
        PID:15652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41243.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41243.exe
        7⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29200.exe
        8⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54939.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54939.exe
        8⤵
        
        PID:14408
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44860.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44860.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50690.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50690.exe
        7⤵
        
        PID:13112
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29698.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29698.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33582.exe
        7⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
        8⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3325.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3325.exe
        9⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        9⤵
        
        PID:14988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28794.exe
        8⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37756.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37756.exe
        8⤵
        
        PID:14268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36709.exe
        8⤵
        
        PID:14536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49111.exe
        7⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 484
        8⤵
        Program crash
        
        PID:14576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62156.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62156.exe
        7⤵
        
        PID:10548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
        7⤵
        
        PID:15240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19261.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19261.exe
        6⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10751.exe
        7⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53102.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53102.exe
        7⤵
        
        PID:12960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61089.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61089.exe
        6⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8576 -s 484
        7⤵
        Program crash
        
        PID:14320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38710.exe
        6⤵
        
        PID:8460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39917.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39917.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 488
        6⤵
        Program crash
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41392.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41392.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 484
        7⤵
        Program crash
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18917.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18917.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 464
        8⤵
        Program crash
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        8⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        9⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18959.exe
        9⤵
        
        PID:12480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        8⤵
        
        PID:12788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1882.exe
        7⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        8⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11000.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11000.exe
        8⤵
        
        PID:13340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        7⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42313.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42313.exe
        7⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62122.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62122.exe
        7⤵
        
        PID:16216
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64396.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11791.exe
        7⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        8⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16372.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16372.exe
        9⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28488.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28488.exe
        9⤵
        
        PID:14228
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        8⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        8⤵
        
        PID:13208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56636.exe
        8⤵
        
        PID:16268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48042.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48042.exe
        7⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19060.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19060.exe
        8⤵
        
        PID:12336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
        7⤵
        
        PID:9676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22214.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22214.exe
        7⤵
        
        PID:15340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        7⤵
        
        PID:15340
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13396.exe
        6⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14788.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44311.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11536
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4217.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4217.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8584
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55246.exe
        6⤵
        
        PID:11456
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62652.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62652.exe
        6⤵
        
        PID:16124
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16472.exe
        6⤵
        
        PID:15448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29039.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29039.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 488
        6⤵
        Program crash
        
        PID:3660
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21932.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21932.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26675.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26675.exe
        7⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52967.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52967.exe
        8⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32900.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32900.exe
        9⤵
        
        PID:9340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22458.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22458.exe
        9⤵
        
        PID:13976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32987.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32987.exe
        8⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57553.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57553.exe
        8⤵
        
        PID:12376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12541.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12541.exe
        8⤵
        
        PID:15904
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34253.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34253.exe
        7⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38062.exe
        7⤵
        
        PID:10092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41099.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41099.exe
        7⤵
        
        PID:13896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45978.exe
        7⤵
        
        PID:15524
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20322.exe
        6⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56532.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56532.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24021.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24021.exe
        8⤵
        
        PID:12568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48037.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48037.exe
        7⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42608.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42608.exe
        7⤵
        
        PID:14760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18121.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18121.exe
        7⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8383.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8383.exe
        6⤵
        
        PID:6828
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40009.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40009.exe
        6⤵
        
        PID:10688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:15792
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30411.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30411.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11791.exe
        6⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23092.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23092.exe
        7⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        8⤵
        
        PID:10420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        8⤵
        
        PID:14772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24320.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24320.exe
        8⤵
        
        PID:15952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57274.exe
        7⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44746.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44746.exe
        7⤵
        
        PID:14800
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39188.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20814.exe
        7⤵
        
        PID:12208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52858.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52858.exe
        7⤵
        
        PID:16124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64922.exe
        7⤵
        
        PID:16224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46138.exe
        7⤵
        
        PID:15368
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46012.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46012.exe
        6⤵
        
        PID:11812
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55271.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55271.exe
        6⤵
        
        PID:14916
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39185.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39185.exe
        5⤵
        
        PID:6188
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        6⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17476.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17476.exe
        6⤵
        
        PID:12680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21712.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21712.exe
        6⤵
        
        PID:15976
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51653.exe
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55776.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55776.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43477.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43477.exe
        5⤵
        
        PID:16240
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13036.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13036.exe
        5⤵
        
        PID:15368
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38765.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38765.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 484
        5⤵
        Program crash
        
        PID:972
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46270.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 492
        6⤵
        Program crash
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18642.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18642.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 488
        7⤵
        Program crash
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35829.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35829.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50686.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50686.exe
        8⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3247.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3247.exe
        9⤵
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        10⤵
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        10⤵
        
        PID:14672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40273.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40273.exe
        10⤵
        
        PID:16368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36282.exe
        9⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48556.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48556.exe
        9⤵
        
        PID:15580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60185.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60185.exe
        8⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34143.exe
        8⤵
        
        PID:10684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29013.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29013.exe
        8⤵
        
        PID:15808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41126.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41126.exe
        7⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        8⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56226.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56226.exe
        9⤵
        
        PID:11832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35670.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35670.exe
        9⤵
        
        PID:15096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8841.exe
        8⤵
        
        PID:11656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36277.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36277.exe
        8⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21403.exe
        7⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        7⤵
        
        PID:10412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44250.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44250.exe
        7⤵
        
        PID:16140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51324.exe
        7⤵
        
        PID:14796
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24436.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24436.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        7⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6340.exe
        8⤵
        
        PID:11368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        8⤵
        
        PID:14404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34632.exe
        7⤵
        
        PID:10040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35234.exe
        7⤵
        
        PID:13908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41877.exe
        6⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        7⤵
        
        PID:11284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        7⤵
        
        PID:14696
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58972.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58972.exe
        6⤵
        
        PID:10984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23272.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23272.exe
        6⤵
        
        PID:14712
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21910.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36706.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36706.exe
        6⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59490.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59490.exe
        7⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46309.exe
        8⤵
        
        PID:8080
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58426.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58426.exe
        8⤵
        
        PID:12256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60096.exe
        8⤵
        
        PID:15628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        7⤵
        
        PID:8560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        7⤵
        
        PID:12388
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40776.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40776.exe
        6⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50606.exe
        7⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16729.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16729.exe
        7⤵
        
        PID:13452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        7⤵
        
        PID:15668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3552.exe
        6⤵
        
        PID:7392
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42313.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42313.exe
        6⤵
        
        PID:11996
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24353.exe
        5⤵
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20596.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37155.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37155.exe
        7⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43241.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43241.exe
        7⤵
        
        PID:12300
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24580.exe
        6⤵
        
        PID:8532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:12556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        6⤵
        
        PID:13356
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21482.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21482.exe
        5⤵
        
        PID:7128
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        6⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17476.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17476.exe
        6⤵
        
        PID:12548
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
        5⤵
        
        PID:12916
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34493.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34493.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25824.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25824.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-717.exe
        6⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-367.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-367.exe
        7⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5769.exe
        7⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35187.exe
        7⤵
        
        PID:13272
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4788.exe
        6⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 484
        7⤵
        Program crash
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47586.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47586.exe
        7⤵
        
        PID:13960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15162.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15162.exe
        7⤵
        
        PID:15588
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48368.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48368.exe
        6⤵
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47321.exe
        6⤵
        
        PID:13840
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29860.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29860.exe
        5⤵
        
        PID:5520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 484
        6⤵
        Program crash
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15110.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9524
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        6⤵
        
        PID:14100
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26473.exe
        5⤵
        
        PID:7428
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42412.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42412.exe
        6⤵
        
        PID:9268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9412.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9412.exe
        6⤵
        
        PID:15824
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28442.exe
        5⤵
        
        PID:11620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33476.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33476.exe
        5⤵
        
        PID:15332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28574.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28574.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-717.exe
        5⤵
        
        PID:5348
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43346.exe
        6⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19605.exe
        7⤵
        
        PID:8696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        7⤵
        
        PID:13188
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5769.exe
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35187.exe
        6⤵
        
        PID:13264
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4788.exe
        5⤵
        
        PID:6540
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43808.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43808.exe
        6⤵
        
        PID:9684
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17606.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:13752
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
        6⤵
        
        PID:15364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48368.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48368.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10020
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41099.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41099.exe
        5⤵
        
        PID:13876
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19131.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19131.exe
        5⤵
        
        PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12591.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12591.exe
      4⤵
      PID:5844
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6179.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6179.exe
        5⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6724.exe
        6⤵
        
        PID:12024
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42468.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42468.exe
        6⤵
        
        PID:15420
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25811.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25811.exe
        5⤵
        
        PID:12212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36875.exe
        5⤵
        
        PID:15536
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29997.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29997.exe
      4⤵
      PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7286.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7286.exe
      4⤵
      PID:11092
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41365.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41365.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:14632
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65114.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-65114.exe
      4⤵
      PID:15900
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28713.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28713.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 484
      4⤵
      Program crash
      PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58631.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58631.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 484
        5⤵
        Program crash
        
        PID:956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50354.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50354.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 488
        6⤵
        Program crash
        
        PID:116
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41200.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 484
        7⤵
        Program crash
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30436.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30436.exe
        7⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17088.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17088.exe
        8⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6091.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6091.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2369.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:13996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34763.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34763.exe
        9⤵
        
        PID:15636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1192.exe
        8⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9120.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9120.exe
        8⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12109.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12109.exe
        7⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 484
        8⤵
        Program crash
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        8⤵
        
        PID:12352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        8⤵
        
        PID:15180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43927.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43927.exe
        7⤵
        
        PID:10084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32433.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32433.exe
        7⤵
        
        PID:13888
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26954.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26954.exe
        6⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64643.exe
        7⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12157.exe
        8⤵
        
        PID:8896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63090.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63090.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        7⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        7⤵
        
        PID:12116
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59665.exe
        6⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6091.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6091.exe
        7⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32634.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32634.exe
        7⤵
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34880.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34880.exe
        7⤵
        
        PID:15680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        7⤵
        
        PID:10168
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9417.exe
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33647.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33647.exe
        6⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16998.exe
        6⤵
        
        PID:15984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12429.exe
        6⤵
        
        PID:1080
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8589.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8589.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8994.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8994.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42085.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42085.exe
        7⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 484
        8⤵
        Program crash
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18676.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18676.exe
        8⤵
        
        PID:11856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13108.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13108.exe
        8⤵
        
        PID:16276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        7⤵
        
        PID:12452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        7⤵
        
        PID:15504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23371.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23371.exe
        6⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27363.exe
        7⤵
        
        PID:9872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27227.exe
        7⤵
        
        PID:14084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11492.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11492.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:15924
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        7⤵
        
        PID:13956
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        6⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        6⤵
        
        PID:12988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3876.exe
        6⤵
        
        PID:15848
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14047.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14047.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52391.exe
        6⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51187.exe
        7⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 488
        8⤵
        Program crash
        
        PID:8452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50663.exe
        8⤵
        
        PID:12588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
        8⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61358.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61358.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11100
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65166.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65166.exe
        7⤵
        
        PID:14624
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32473.exe
        6⤵
        
        PID:8028
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11284.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11284.exe
        6⤵
        
        PID:11484
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62453.exe
        6⤵
        
        PID:15888
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53278.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53278.exe
        5⤵
        
        PID:7024
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        6⤵
        
        PID:9240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49355.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49355.exe
        6⤵
        
        PID:10460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        6⤵
        
        PID:15092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6009.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6009.exe
        6⤵
        
        PID:10148
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
        5⤵
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
        5⤵
        
        PID:13040
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51485.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51485.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4148
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1620.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1620.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 488
        6⤵
        Program crash
        
        PID:4936
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25907.exe
        6⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        7⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32988.exe
        8⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37434.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37434.exe
        8⤵
        
        PID:12460
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20020.exe
        8⤵
        
        PID:16356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        7⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        7⤵
        
        PID:12560
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14134.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14134.exe
        6⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 484
        7⤵
        Program crash
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30627.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30627.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58011.exe
        7⤵
        
        PID:15472
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        6⤵
        
        PID:8680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        6⤵
        
        PID:13108
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10701.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10701.exe
        5⤵
        
        PID:532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        6⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29968.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29968.exe
        7⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47539.exe
        7⤵
        
        PID:14436
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31124.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31124.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10804
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41731.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41731.exe
        6⤵
        
        PID:14444
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20564.exe
        6⤵
        
        PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14221.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14221.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35396.exe
        6⤵
        
        PID:12428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39817.exe
        5⤵
        
        PID:11356
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18209.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18209.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:12468
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        5⤵
        
        PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59383.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59383.exe
      4⤵
      PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42085.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42085.exe
        5⤵
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14788.exe
        6⤵
        
        PID:8496
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9997.exe
        6⤵
        
        PID:12584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        5⤵
        
        PID:8644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        5⤵
        
        PID:12440
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1586.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1586.exe
        5⤵
        
        PID:16228
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34306.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34306.exe
      4⤵
      PID:7100
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48660.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48660.exe
        5⤵
        
        PID:9492
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62915.exe
        5⤵
        
        PID:14332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1622.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1622.exe
      4⤵
      PID:9416
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6129.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6129.exe
      4⤵
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-37042.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-37042.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52300.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-52300.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 484
        5⤵
        Program crash
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28455.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28455.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:60
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5979.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5979.exe
        6⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 488
        7⤵
        Program crash
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44581.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44581.exe
        7⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 484
        8⤵
        Program crash
        
        PID:15944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31124.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31124.exe
        7⤵
        
        PID:10620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59355.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59355.exe
        7⤵
        
        PID:15016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28498.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28498.exe
        6⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        7⤵
        
        PID:11304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        7⤵
        
        PID:14756
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42147.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42147.exe
        6⤵
        
        PID:11172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        6⤵
        
        PID:15644
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-312.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-312.exe
        5⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3190.exe
        6⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39148.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39148.exe
        7⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31181.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31181.exe
        7⤵
        
        PID:13020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40929.exe
        7⤵
        
        PID:15564
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        6⤵
        
        PID:8652
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58046.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58046.exe
        6⤵
        
        PID:12112
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63749.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63749.exe
        5⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64036.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64036.exe
        6⤵
        
        PID:9252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-154.exe
        6⤵
        
        PID:12344
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        6⤵
        
        PID:16320
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26823.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21935.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21935.exe
        5⤵
        
        PID:13332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54967.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54967.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63877.exe
        5⤵
        
        PID:5960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 484
        6⤵
        Program crash
        
        PID:6960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11794.exe
        6⤵
        
        PID:10676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33449.exe
        6⤵
        
        PID:14344
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8082.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8082.exe
        5⤵
        
        PID:7728
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        5⤵
        
        PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63331.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63331.exe
      4⤵
      PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6179.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6179.exe
        5⤵
        
        PID:7008
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37285.exe
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59708.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59708.exe
        6⤵
        
        PID:13240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57653.exe
        6⤵
        
        PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12489.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12489.exe
        5⤵
        
        PID:11192
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        5⤵
        
        PID:15592
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55198.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55198.exe
      4⤵
      PID:7704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7704 -s 484
        5⤵
        Program crash
        
        PID:11728
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25666.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25666.exe
        5⤵
        
        PID:12712
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18322.exe
        5⤵
        
        PID:16332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6756.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6756.exe
      4⤵
      PID:11080
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23272.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23272.exe
      4⤵
      PID:14748
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-46581.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-46581.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18786.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18786.exe
      4⤵
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37508.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37508.exe
        5⤵
        
        PID:6432
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25827.exe
        6⤵
        
        PID:8216
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4539.exe
        6⤵
        
        PID:13000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22826.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22826.exe
        5⤵
        
        PID:9000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18466.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18466.exe
        5⤵
        
        PID:12792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17563.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17563.exe
      4⤵
      PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48167.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48167.exe
        5⤵
        
        PID:10272
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60284.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60284.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:14292
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19531.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19531.exe
      4⤵
      PID:9364
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60290.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60290.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:12372
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-42467.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-42467.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26784.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26784.exe
      4⤵
      PID:5228
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        6⤵
        
        PID:9164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        6⤵
        
        PID:14648
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9288
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        5⤵
        
        PID:13588
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35789.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35789.exe
      4⤵
      PID:8136
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18676.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18676.exe
        5⤵
        
        PID:11132
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
      4⤵
      PID:10668
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
      4⤵
      PID:15124
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62122.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62122.exe
      4⤵
      PID:16176
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20937.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20937.exe
      4⤵
      PID:14756
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-37581.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-37581.exe
    3⤵
    PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56174.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56174.exe
      4⤵
      PID:6812
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10367.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10367.exe
        5⤵
        
        PID:244
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        5⤵
        
        PID:13196
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12868.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12868.exe
      4⤵
      PID:8360
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30033.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30033.exe
      4⤵
      PID:11336
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-48926.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-48926.exe
    3⤵
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44768.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44768.exe
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
      4⤵
      PID:14044
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24567.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24567.exe
    3⤵
    PID:9844
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12320.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12320.exe
    3⤵
    PID:13828
- C:\Users\Admin\AppData\Local\Temp\Unicorn-28630.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-28630.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 484
    3⤵
    - Program crash
    PID:3476
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61900.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61900.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 484
      4⤵
      Program crash
      PID:920
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21683.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21683.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 488
        5⤵
        Program crash
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26727.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26727.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 464
        6⤵
        Program crash
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25440.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25440.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 488
        7⤵
        Program crash
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2964.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2964.exe
        7⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 484
        8⤵
        Program crash
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35038.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35038.exe
        9⤵
        
        PID:9372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37917.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37917.exe
        9⤵
        
        PID:14960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
        8⤵
        
        PID:10608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59355.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59355.exe
        8⤵
        
        PID:12876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28498.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28498.exe
        7⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62723.exe
        8⤵
        
        PID:11424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        8⤵
        
        PID:16232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61772.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61772.exe
        7⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
        7⤵
        
        PID:14788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38048.exe
        7⤵
        
        PID:16096
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6041.exe
        6⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        7⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        8⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 456
        9⤵
        Program crash
        
        PID:12116
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8499.exe
        9⤵
        
        PID:14064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33444.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33444.exe
        9⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8841.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59712.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59712.exe
        8⤵
        
        PID:14468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7668.exe
        7⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41234.exe
        8⤵
        
        PID:12248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2369.exe
        8⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20713.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20713.exe
        7⤵
        
        PID:11340
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47413.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47413.exe
        6⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31447.exe
        7⤵
        
        PID:9936
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
        7⤵
        
        PID:14008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28897.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28897.exe
        7⤵
        
        PID:15548
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26823.exe
        6⤵
        
        PID:8036
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11281.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11281.exe
        6⤵
        
        PID:12948
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16998.exe
        6⤵
        
        PID:15956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11988.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17054.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17054.exe
        6⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43621.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43621.exe
        7⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44768.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44768.exe
        8⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
        8⤵
        
        PID:14052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23744.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23744.exe
        8⤵
        
        PID:15944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        8⤵
        
        PID:14536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32607.exe
        7⤵
        
        PID:10508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60341.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60341.exe
        7⤵
        
        PID:13412
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24907.exe
        6⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        7⤵
        
        PID:9692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        7⤵
        
        PID:14708
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31538.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31538.exe
        6⤵
        
        PID:10588
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24462.exe
        6⤵
        
        PID:14128
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15391.exe
        5⤵
        
        PID:5852
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        6⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35038.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35038.exe
        7⤵
        
        PID:11256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37917.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37917.exe
        7⤵
        
        PID:15028
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34523.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34523.exe
        6⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64206.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64206.exe
        6⤵
        
        PID:13072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30487.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30487.exe
        6⤵
        
        PID:16120
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2105.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2105.exe
        5⤵
        
        PID:8184
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36797.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36797.exe
        5⤵
        
        PID:11036
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62551.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62551.exe
        5⤵
        
        PID:15348
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19689.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19689.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25824.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25824.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63877.exe
        6⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25827.exe
        7⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38280.exe
        7⤵
        
        PID:13060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35666.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35666.exe
        7⤵
        
        PID:10224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21403.exe
        6⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
        6⤵
        
        PID:11328
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63109.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63109.exe
        5⤵
        
        PID:5896
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61602.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61602.exe
        6⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        7⤵
        
        PID:9232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60698.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60698.exe
        7⤵
        
        PID:14284
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24710.exe
        6⤵
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41840.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41840.exe
        6⤵
        
        PID:14232
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39219.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39219.exe
        5⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34052.exe
        6⤵
        
        PID:9408
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        6⤵
        
        PID:14500
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28058.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28058.exe
        5⤵
        
        PID:11068
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29008.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29008.exe
        5⤵
        
        PID:15160
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51870.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51870.exe
      4⤵
      PID:5708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 484
        5⤵
        Program crash
        
        PID:5732
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33284.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33284.exe
        5⤵
        
        PID:10748
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27995.exe
        5⤵
        
        PID:14472
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14699.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14699.exe
        5⤵
        
        PID:16028
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37563.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37563.exe
      4⤵
      PID:7688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 484
        5⤵
        Program crash
        
        PID:9360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39008.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39008.exe
        5⤵
        
        PID:15108
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8822.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8822.exe
      4⤵
      PID:11808
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45916.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45916.exe
      4⤵
      PID:15972
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5716.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5716.exe
      4⤵
      PID:15984
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-34489.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-34489.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 648
      4⤵
      Program crash
      PID:4228
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57052.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57052.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 488
      4⤵
      Program crash
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37500.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37500.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 464
        5⤵
        Program crash
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43312.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43312.exe
        5⤵
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9220.exe
        6⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11773.exe
        7⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        7⤵
        
        PID:10764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        7⤵
        
        PID:14600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16873.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16873.exe
        6⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19946.exe
        6⤵
        
        PID:13008
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16128.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16128.exe
        6⤵
        
        PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7912.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7912.exe
        5⤵
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27280.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8300
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47902.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47902.exe
        6⤵
        
        PID:10916
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41378.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41378.exe
        5⤵
        
        PID:9296
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16402.exe
        5⤵
        
        PID:12944
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46581.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46581.exe
      4⤵
      PID:6032
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        5⤵
        
        PID:7124
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50388.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50388.exe
        6⤵
        
        PID:11380
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        6⤵
        
        PID:13360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        5⤵
        
        PID:9932
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        5⤵
        
        PID:13760
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        5⤵
        
        PID:10176
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61777.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61777.exe
      4⤵
      PID:8176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 484
        5⤵
        Program crash
        
        PID:14536
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45463.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45463.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:10596
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29008.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29008.exe
      4⤵
      PID:15188
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2808.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2808.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60032.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60032.exe
      4⤵
      PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46636.exe
        5⤵
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4529.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4529.exe
        6⤵
        
        PID:8012
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44202.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44202.exe
        6⤵
        
        PID:11420
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56615.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56615.exe
        5⤵
        
        PID:9704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4699.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4699.exe
        5⤵
        
        PID:13764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
        5⤵
        
        PID:16080
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27922.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27922.exe
      4⤵
      PID:7264
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42988.exe
        5⤵
        
        PID:11612
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
        5⤵
        
        PID:15912
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17066.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17066.exe
      4⤵
      PID:11848
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46606.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46606.exe
      4⤵
      PID:14320
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57516.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57516.exe
    3⤵
    PID:6040
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38167.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38167.exe
      4⤵
      PID:6920
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25884.exe
        5⤵
        
        PID:10248
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        5⤵
        
        PID:14600
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15908.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15908.exe
        5⤵
        
        PID:16204
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6432.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6432.exe
      4⤵
      PID:9912
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1602.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1602.exe
      4⤵
      PID:14920
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-30189.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-30189.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8128 -s 484
      4⤵
      Program crash
      PID:3848
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-37328.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-37328.exe
    3⤵
    PID:10580
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8008.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8008.exe
    3⤵
    PID:15140
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-7930.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-7930.exe
    3⤵
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\Unicorn-36995.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-36995.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 488
    3⤵
    - Program crash
    PID:384
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-16530.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-16530.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 468
      4⤵
      Program crash
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8013.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8013.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 488
        5⤵
        Program crash
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9186.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9186.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3924.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3924.exe
        6⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
        7⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        8⤵
        
        PID:10728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        8⤵
        
        PID:14608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51788.exe
        8⤵
        
        PID:10188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
        7⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18596.exe
        7⤵
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        7⤵
        
        PID:16336
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20906.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20906.exe
        6⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62723.exe
        7⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33314.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33314.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:16180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
        7⤵
        
        PID:14936
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22576.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22576.exe
        6⤵
        
        PID:11636
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42142.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42142.exe
        6⤵
        
        PID:15104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11469.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11469.exe
        5⤵
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5686.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5686.exe
        6⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41426.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41426.exe
        7⤵
        
        PID:12528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59459.exe
        7⤵
        
        PID:15132
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5058.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5058.exe
        6⤵
        
        PID:10936
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44746.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44746.exe
        6⤵
        
        PID:14676
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-708.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-708.exe
        5⤵
        
        PID:7896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16765.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16765.exe
        5⤵
        
        PID:11932
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50690.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50690.exe
        5⤵
        
        PID:14956
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26299.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26299.exe
      4⤵
      PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        5⤵
        
        PID:5584
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13574.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13574.exe
        6⤵
        
        PID:8228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4539.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4539.exe
        6⤵
        
        PID:12992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22146.exe
        6⤵
        
        PID:13424
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24580.exe
        5⤵
        
        PID:8548
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1746.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1746.exe
        5⤵
        
        PID:11860
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39212.exe
        5⤵
        
        PID:16176
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5146.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5146.exe
      4⤵
      PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9874.exe
        5⤵
        
        PID:7740
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60922.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60922.exe
        5⤵
        
        PID:11956
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18157.exe
      4⤵
      PID:944
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60283.exe
      4⤵
      PID:12900
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-14536.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-14536.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35061.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35061.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 484
        5⤵
        Program crash
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53426.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53426.exe
        5⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4259.exe
        6⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11773.exe
        7⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        7⤵
        
        PID:9220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45214.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45214.exe
        7⤵
        
        PID:16072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50154.exe
        6⤵
        
        PID:8604
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
        6⤵
        
        PID:12536
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51083.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51083.exe
        5⤵
        
        PID:7000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50388.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50388.exe
        6⤵
        
        PID:11460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7274.exe
        6⤵
        
        PID:14388
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20957.exe
        5⤵
        
        PID:9388
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14264.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14264.exe
        5⤵
        
        PID:12360
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57463.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57463.exe
      4⤵
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1026.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1026.exe
        5⤵
        
        PID:5420
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3325.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3325.exe
        6⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15442.exe
        6⤵
        
        PID:14668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38467.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38467.exe
        6⤵
        
        PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12489.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12489.exe
        5⤵
        
        PID:10788
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39891.exe
        5⤵
        
        PID:15600
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61585.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61585.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7744
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52308.exe
        5⤵
        
        PID:12752
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25530.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25530.exe
        5⤵
        
        PID:16368
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60501.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60501.exe
        5⤵
        
        PID:16008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32827.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32827.exe
      4⤵
      PID:11048
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39808.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39808.exe
      4⤵
      PID:14740
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17681.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17681.exe
      4⤵
      PID:16140
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-52366.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-52366.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17054.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17054.exe
      4⤵
      PID:5428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40990.exe
        5⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
        6⤵
        
        PID:11176
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        6⤵
        
        PID:14660
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40034.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40034.exe
        6⤵
        
        PID:15320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        6⤵
        
        PID:10196
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49520.exe
        5⤵
        
        PID:10872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11716.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11716.exe
        5⤵
        
        PID:14588
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43648.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43648.exe
        5⤵
        
        PID:16196
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22276.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22276.exe
      4⤵
      PID:7676
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13906.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13906.exe
        5⤵
        
        PID:12444
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13108.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13108.exe
        5⤵
        
        PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9556.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9556.exe
      4⤵
      PID:11056
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
      4⤵
      PID:14780
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59658.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59658.exe
    3⤵
    PID:5224
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19200.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6856
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12562.exe
        5⤵
        
        PID:10532
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2121.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2121.exe
        5⤵
        
        PID:13448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47347.exe
        5⤵
        
        PID:15328
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17803.exe
      4⤵
      PID:10632
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18596.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18596.exe
      4⤵
      PID:14016
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
      4⤵
      PID:16128
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11421.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11421.exe
    3⤵
    PID:7296
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-14616.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-14616.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11348
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-18739.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-18739.exe
    3⤵
    PID:12232
- C:\Users\Admin\AppData\Local\Temp\Unicorn-59243.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-59243.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29742.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29742.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37500.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37500.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 488
        5⤵
        Program crash
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62663.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 484
        6⤵
        Program crash
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59376.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59376.exe
        6⤵
        
        PID:8292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16298.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16298.exe
        6⤵
        
        PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22468.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22468.exe
        5⤵
        
        PID:8104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26844.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26844.exe
        6⤵
        
        PID:11740
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39598.exe
        5⤵
        
        PID:10928
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48857.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48857.exe
        5⤵
        
        PID:15252
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47157.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-47157.exe
      4⤵
      PID:684
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7030.exe
        5⤵
        
        PID:7396
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20046.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20046.exe
        6⤵
        
        PID:12060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42468.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42468.exe
        6⤵
        
        PID:15412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58042.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58042.exe
        5⤵
        
        PID:11524
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49598.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49598.exe
        5⤵
        
        PID:14896
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56899.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56899.exe
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16957.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16957.exe
      4⤵
      PID:12000
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1380.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1380.exe
      4⤵
      PID:15960
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-18210.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-18210.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43696.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43696.exe
      4⤵
      PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1218.exe
        5⤵
        
        PID:6948
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24706.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24706.exe
        6⤵
        
        PID:12012
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
        6⤵
        
        PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4866.exe
        5⤵
        
        PID:9948
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37564.exe
        5⤵
        
        PID:13616
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48988.exe
        5⤵
        
        PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62929.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62929.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56729.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56729.exe
      4⤵
      PID:12076
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-15391.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-15391.exe
    3⤵
    PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
      4⤵
      PID:5760
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24514.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24514.exe
        5⤵
        
        PID:11632
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61467.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61467.exe
      4⤵
      PID:9272
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30464.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30464.exe
      4⤵
      PID:13524
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56636.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56636.exe
      4⤵
      PID:16144
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38682.exe
      4⤵
      PID:15344
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39054.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39054.exe
    3⤵
    PID:8020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31312.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31312.exe
      4⤵
      PID:12404
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59356.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59356.exe
    3⤵
    PID:10640
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12473.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12473.exe
    3⤵
    PID:15148
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38003.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38003.exe
    3⤵
    PID:4720
- C:\Users\Admin\AppData\Local\Temp\Unicorn-11273.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-11273.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-18786.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-18786.exe
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53268.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53268.exe
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63989.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63989.exe
        5⤵
        
        PID:8412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27974.exe
        5⤵
        
        PID:10844
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57253.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57253.exe
      4⤵
      PID:8736
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-15862.exe
      4⤵
      PID:12424
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60176.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60176.exe
      4⤵
      PID:15788
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-48290.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-48290.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6196
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61104.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61104.exe
      4⤵
      PID:788
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40548.exe
      4⤵
      PID:14076
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25339.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25339.exe
    3⤵
    PID:7528
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57315.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57315.exe
    3⤵
    PID:7064
- C:\Users\Admin\AppData\Local\Temp\Unicorn-48489.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-48489.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43696.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43696.exe
    3⤵
    PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43621.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43621.exe
      4⤵
      PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
        5⤵
        
        PID:9892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28379.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28379.exe
        5⤵
        
        PID:14992
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36194.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36194.exe
      4⤵
      PID:9668
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31341.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31341.exe
      4⤵
      PID:13740
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58334.exe
      4⤵
      PID:15292
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38228.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38228.exe
    3⤵
    PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2365.exe
      4⤵
      PID:11124
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51431.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51431.exe
      4⤵
      PID:14616
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-44860.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-44860.exe
    3⤵
    PID:10812
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47596.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47596.exe
    3⤵
    PID:14452
- C:\Users\Admin\AppData\Local\Temp\Unicorn-18767.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-18767.exe
  2⤵
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2287.exe
    3⤵
    PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33092.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33092.exe
      4⤵
      PID:11208
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54446.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54446.exe
      4⤵
      PID:14904
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23744.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23744.exe
      4⤵
      PID:15320
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-56506.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-56506.exe
    3⤵
    PID:10128
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43978.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43978.exe
    3⤵
    PID:14208
- C:\Users\Admin\AppData\Local\Temp\Unicorn-39045.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-39045.exe
  2⤵
  PID:8040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8040 -s 484
    3⤵
    - Program crash
    PID:13208
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47778.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47778.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13464
- C:\Users\Admin\AppData\Local\Temp\Unicorn-33020.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-33020.exe
  2⤵
  PID:10296
- C:\Users\Admin\AppData\Local\Temp\Unicorn-6873.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-6873.exe
  2⤵
  PID:15172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4548 -ip 4548
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4220 -ip 4220
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4804 -ip 4804
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5044 -ip 5044
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1928 -ip 1928
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3100 -ip 3100
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1268 -ip 1268
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 632 -ip 632
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1428 -ip 1428
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4604 -ip 4604
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4312 -ip 4312
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4064 -ip 4064
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4540 -ip 4540
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3728 -ip 3728
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1664 -ip 1664
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 456 -ip 456
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3768 -ip 3768
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1028 -ip 1028
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3952 -ip 3952
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4676 -ip 4676
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 456 -ip 456
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1384 -ip 1384
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1516 -ip 1516
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2808 -ip 2808
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4456 -ip 4456
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1724 -ip 1724
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4308 -ip 4308
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4148 -ip 4148
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 756 -ip 756
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1020 -ip 1020
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2724 -ip 2724
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4324 -ip 4324
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2536 -ip 2536
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1700 -ip 1700
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2008 -ip 2008
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2600 -ip 2600
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3524 -ip 3524
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1584 -ip 1584
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4192 -ip 4192
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3152 -ip 3152
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 60 -ip 60
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1616 -ip 1616
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4556 -ip 4556
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2736 -ip 2736
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2004 -ip 2004
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4224 -ip 4224
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1544 -ip 1544
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4228 -ip 4228
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 456 -ip 456
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4336 -ip 4336
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4092 -ip 4092
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4924 -ip 4924
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2932 -ip 2932
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 816 -ip 816
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4404 -ip 4404
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2532 -ip 2532
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 876 -ip 876
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4796 -ip 4796
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4068 -ip 4068
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4512 -ip 4512
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3404 -ip 3404
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2920 -ip 2920
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1736 -ip 1736
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4692 -ip 4692
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 628 -ip 628
1⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3588 -ip 3588
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4464 -ip 4464
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4292 -ip 4292
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1084 -ip 1084
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4848 -ip 4848
1⤵
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4708 -ip 4708
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1912 -ip 1912
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 772 -ip 772
1⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3992 -ip 3992
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2608 -ip 2608
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1236 -ip 1236
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2020 -ip 2020
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2872 -ip 2872
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5172 -ip 5172
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3960 -ip 3960
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3532 -ip 3532
1⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 228 -ip 228
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5204 -ip 5204
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5348 -ip 5348
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5560 -ip 5560
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5356 -ip 5356
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5744 -ip 5744
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5396 -ip 5396
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 5440 -ip 5440
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5388 -ip 5388
1⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5600 -ip 5600
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5228 -ip 5228
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5520 -ip 5520
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5464 -ip 5464
1⤵
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 5812 -ip 5812
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 688 -ip 688
1⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5860 -ip 5860
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5844 -ip 5844
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5428 -ip 5428
1⤵
PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6040 -ip 6040
1⤵
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6092 -ip 6092
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5896 -ip 5896
1⤵
PID:6836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1356 -ip 1356
1⤵
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5200 -ip 5200
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6032 -ip 6032
1⤵
PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 5852 -ip 5852
1⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5128 -ip 5128
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 208 -ip 208
1⤵
PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 532 -ip 532
1⤵
PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6084 -ip 6084
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5224 -ip 5224
1⤵
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5708 -ip 5708
1⤵
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5960 -ip 5960
1⤵
PID:6848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 684 -ip 684
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5460 -ip 5460
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2420 -ip 2420
1⤵
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4956 -ip 4956
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 5488 -ip 5488
1⤵
PID:6856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5544 -ip 5544
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5828 -ip 5828
1⤵
PID:6924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5152 -ip 5152
1⤵
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5308 -ip 5308
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6692 -ip 6692
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3800 -ip 3800
1⤵
PID:7288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5540 -ip 5540
1⤵
PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5372 -ip 5372
1⤵
PID:7472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4360 -ip 4360
1⤵
PID:7508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6200 -ip 6200
1⤵
PID:7632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 5280 -ip 5280
1⤵
PID:7812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 6152 -ip 6152
1⤵
PID:7904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5660 -ip 5660
1⤵
PID:7944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6432 -ip 6432
1⤵
PID:8076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5728 -ip 5728
1⤵
PID:6544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5796 -ip 5796
1⤵
PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6100 -ip 6100
1⤵
PID:7688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5584 -ip 5584
1⤵
PID:7584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5140 -ip 5140
1⤵
PID:7840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 6812 -ip 6812
1⤵
PID:7900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 5772 -ip 5772
1⤵
PID:7948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 6188 -ip 6188
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2972 -ip 2972
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7128 -ip 7128
1⤵
PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1212 -ip 1212
1⤵
PID:7908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 6728 -ip 6728
1⤵
PID:7736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6060 -ip 6060
1⤵
PID:7948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 6912 -ip 6912
1⤵
PID:8212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6992 -ip 6992
1⤵
PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 7052 -ip 7052
1⤵
PID:8300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 7164 -ip 7164
1⤵
PID:8372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7136 -ip 7136
1⤵
PID:8480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1244 -ip 1244
1⤵
PID:8772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 6740 -ip 6740
1⤵
PID:8836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 6608 -ip 6608
1⤵
PID:9192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 6540 -ip 6540
1⤵
PID:7392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7092 -ip 7092
1⤵
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 7032 -ip 7032
1⤵
PID:8036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4872 -ip 4872
1⤵
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 6720 -ip 6720
1⤵
PID:8324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 7072 -ip 7072
1⤵
PID:8236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 7024 -ip 7024
1⤵
PID:8256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6196 -ip 6196
1⤵
PID:8544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 5704 -ip 5704
1⤵
PID:8372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7008 -ip 7008
1⤵
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7100 -ip 7100
1⤵
PID:8996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6672 -ip 6672
1⤵
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 6900 -ip 6900
1⤵
PID:7724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3032 -ip 3032
1⤵
PID:8392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5752 -ip 5752
1⤵
PID:8784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7232 -ip 7232
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5804 -ip 5804
1⤵
PID:8288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 7844 -ip 7844
1⤵
PID:8208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 6692 -ip 6692
1⤵
PID:9268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5672 -ip 5672
1⤵
PID:9496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6848 -ip 6848
1⤵
PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6664 -ip 6664
1⤵
PID:9760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2676 -ip 2676
1⤵
PID:9892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6700 -ip 6700
1⤵
PID:10056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 5212 -ip 5212
1⤵
PID:10120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 7184 -ip 7184
1⤵
PID:8488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 5620 -ip 5620
1⤵
PID:8392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 7648 -ip 7648
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6856 -ip 6856
1⤵
PID:9408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7124 -ip 7124
1⤵
PID:9384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5420 -ip 5420
1⤵
PID:9664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 5740 -ip 5740
1⤵
PID:9316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5336 -ip 5336
1⤵
PID:9340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 5264 -ip 5264
1⤵
PID:9356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 7480 -ip 7480
1⤵
PID:9856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6164 -ip 6164
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6836 -ip 6836
1⤵
PID:9904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 7000 -ip 7000
1⤵
PID:8852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 6636 -ip 6636
1⤵
PID:6696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 7668 -ip 7668
1⤵
PID:9284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 7568 -ip 7568
1⤵
PID:8712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6920 -ip 6920
1⤵
PID:8208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 7048 -ip 7048
1⤵
PID:9444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7628 -ip 7628
1⤵
PID:10292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7396 -ip 7396
1⤵
PID:10380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5760 -ip 5760
1⤵
PID:10416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 7428 -ip 7428
1⤵
PID:10456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 8104 -ip 8104
1⤵
PID:10484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 8020 -ip 8020
1⤵
PID:10568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 7560 -ip 7560
1⤵
PID:10776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 7264 -ip 7264
1⤵
PID:10896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 7404 -ip 7404
1⤵
PID:9284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7892 -ip 7892
1⤵
PID:10356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 7768 -ip 7768
1⤵
PID:10856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 6948 -ip 6948
1⤵
PID:10460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 8136 -ip 8136
1⤵
PID:10908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7704 -ip 7704
1⤵
PID:11132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7676 -ip 7676
1⤵
PID:10852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7328 -ip 7328
1⤵
PID:10980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2308 -ip 2308
1⤵
PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 7744 -ip 7744
1⤵
PID:11784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1476 -ip 1476
1⤵
PID:11880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 7620 -ip 7620
1⤵
PID:11980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7492 -ip 7492
1⤵
PID:12088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7016 -ip 7016
1⤵
PID:11520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 7688 -ip 7688
1⤵
PID:12184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8040 -ip 8040
1⤵
PID:12872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6924 -ip 6924
1⤵
PID:13036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8576 -ip 8576
1⤵
PID:14220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8176 -ip 8176
1⤵
PID:13852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8048 -ip 8048
1⤵
PID:14500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7412 -ip 7412
1⤵
PID:15916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 15340 -ip 15340
1⤵
PID:16136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8128 -ip 8128
1⤵
PID:13956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3524 -ip 3524
1⤵
PID:14536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10836.exe

Filesize
184KB

MD5
c93b7ee92bca2876edadc0b415691638

SHA1
49c261150b2fd6779b15d2723ea740ecd4a77cd3

SHA256
a678c1196f41b301dcb0cce8eb46ae549692d23ab0a645968d777b417240a87c

SHA512
e4989e2eb68d3f4b10cee463c5b7ed24448a43b5d1efb3afd1547fe5a04bb86d4a72fd0e310d8a1f0721fca225f3d0c3be80879010b42c71403892e8e0926b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-11273.exe

Filesize
184KB

MD5
3bff201a610e37525451dd6f5eb4cac9

SHA1
273b4ebff03edbe207703e6f95dc11c1651a9c6c

SHA256
a3e253725ca563db4b22e99457297cc7a25a79b08108556bfa6ffe135ef0c14a

SHA512
c96d3e638282febaadbdade5cda39bf62bf6c6d47b025ab698f056c2779318fd45f5b935bcc72a2b2f17d237d6375787c52d1bc4e841a5d99d69c51158e277c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-14536.exe

Filesize
184KB

MD5
9ae25d5b31682bcbea4a2da4ec2c83e8

SHA1
45972481eb02c288a94573308a5cb6c2c27e260c

SHA256
1f9d491805d74822e4c33a8d861b835c5c694d8851957285dd12d281ff9c2343

SHA512
8cde6dfc6d1cf71ed0828a10414b2e26ddedd25ca3031df0d33ff5f269b8700d404136f05b2b928150a1dce348199b33983f0ced0b7804d42cad7a3172ce2e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-16530.exe

Filesize
184KB

MD5
2b155278f91bfdbae49170a6e5d3b00c

SHA1
c58d21f7520f8aaa01c7d4c99ab88de681a115b0

SHA256
5a598e2af4ce9586eb7939e4e685ee52003ce9defb5a06f0bccb101c4306c28c

SHA512
389ee42ccfc1e15c460da92026431d939d7a2a00fe1388f5427e197276f6eec8e66e36f2422b0b4a303f53dbbddb975ab11c05d8fd32b138eb65d9cc343c0a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-16729.exe

Filesize
184KB

MD5
dbaa78ca79f8a16cf8f2320f10be57df

SHA1
f6527859beaebcddd374f6a9769a604c554b05b5

SHA256
589668e61cf8f18b18c8d1189bef6896674614bf1642468fa2e2f38c131ec37e

SHA512
007c70299be3ca6d35e4951ddb0f08086ccda2b45077add63d91435187af329230d19bda952d2ac6288c851f6ce3dcf15521c3fddf5d8be180eb1395d48f810b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-18917.exe

Filesize
184KB

MD5
3416341bb7ea32edb036a84ecc951021

SHA1
2eea24858a6139b27fb9b2817350c767e57df247

SHA256
ae119c74b31f1aabdb131edbc3151f3d51c5742555b14c2d9dff1eb8c7dbc9a6

SHA512
e7f76ed2d6879f6415466d766480f8ee78b8148097e894ec6ee2470ae6a26a9b8bec3498e4f260caffd9a36b1ee9c6e4b10d471e8c0114291c3639d227d49a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-18928.exe

Filesize
184KB

MD5
1e193cf727e51240b42d4708c1b228a9

SHA1
707c1f24dd605ed878da3d482b8d1ad7f9b06fa5

SHA256
7da75a09e7da2484e7509ff6554d3026deb7de15dfdf92e0b5c771599cb00e22

SHA512
6b3a1341aa677b2c118e15a82ae737ea711d52a7123346aa3ccde545708e9930c41a8143391643b8980b9cc0e78250198976b408ed22d2d31afc9d738f5300c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-19689.exe

Filesize
184KB

MD5
6a6547fd78cc5814fce6c4af57c9d6df

SHA1
7b12b400e4145de774464680c46bc5bd06fad759

SHA256
129d684a12534b2099e58fd6a1d6d44df1dafd05e482b80927bbe614aa628da2

SHA512
052670fa32737914222f2c0cd2e86a7a2cec23e99c48035559087c22a0598d36dbd5aae6839d33f8d5f57fb2f54e3d6c8d41ca8a72dd909ac660fcba6005ed36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-21683.exe

Filesize
184KB

MD5
b4d59e9a0dd6673b2edd23daacd5c3d6

SHA1
421a87610c6368ac5a8d87d7d32c24183b169efc

SHA256
de2dbc7977a6b35fec3b1ebdb802d39fff0a10853d3393235462d0e074fde6cf

SHA512
c5676911de3ec0fea5c944ee5cb57f7a75e53b408d0f4661c881839b9895b11b4667454a2dd106c7301d267f58088c0307e29adb72849d6293c2935deba3e033

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-23909.exe

Filesize
184KB

MD5
7ffe1b43ac04a53f420c3d15fc1fe60d

SHA1
666053cafb1da4c0dcc65859015f02f5e09167f3

SHA256
e7a6402d44e3841c6bc397702bd552447078581d0e446d775c5b5ad0ce8e3548

SHA512
92951eea01a9b087fead079bd079dfb9bd5571e368076ba19fbcfd08c0ebcf83dde7add8e55807740e4ba9597fffa8e34c2dc019c33be07e19f9db49625aa563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-26727.exe

Filesize
184KB

MD5
a167c27450b0576e88c9a18769cb3bbc

SHA1
54b1929a163ecaed7333017b863708b39de3aa33

SHA256
01615fedb31524a5302bd65cd4433347f0bf37643783fe8b8219719abb6ca4ef

SHA512
fcd249ab8fe7ff587682ef513eb4c7554d54aebe2713273f390505d24348166852468562dd89f872527e0c4d1300da261ad4134dd1b27858e65bbda0867e6589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-28630.exe

Filesize
184KB

MD5
49de09579f59bb5c4fe9a374fc4637cd

SHA1
6eaa11c2f889fe537b4c9770c349b66521c608f2

SHA256
1edefff71dd923c5ea7304faee7025ca38497c0d759fe64796d2b8b560ccc6ee

SHA512
0ac1a91663a4aad3860959a62a91bcf1bed56b91a7bfd0a5dd068607d29c7fc4116a5633546a72d4a3e16ee1c94d89635eb285ad248de03f2932849114ef7799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-28713.exe

Filesize
184KB

MD5
1d7ff6740f9a6a114166073ea81cf01c

SHA1
ca1549bfc819fdd94da392ff8a821e594dba3c6d

SHA256
c3aa4620411a244f5d4c56bfd62c677878adf036121836ba5c379d54311da776

SHA512
e7d1824048c18c529c96595e02bd5054391edd51700c04c5f8844659d21751826b365ec8fe95b7f2041b5531267e9fdb38b18d57acd09c56fc411fc87eeb97a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-29742.exe

Filesize
184KB

MD5
0bac88becf2d1817afbb2b8a98f50fe3

SHA1
84687a3b7b83602986c0d081e6e530613d63b51c

SHA256
ddb46102fa698f842d751e0accec15c3792896dd380c0ff0d69ab5aec8afbe24

SHA512
aae5f56b61661fa0b17ba116dde9bc1141632cd76b157c2ddb6432c46800e1ab1e012c0c35565df4d1b1ebf35db6b7a82c71cb469906011dbd9fc2de0795415f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-31124.exe

Filesize
184KB

MD5
7207bb88f0a508a2aee26913ad9f4edd

SHA1
2f5726683d9bc525f4a5b00f7938188866ed1257

SHA256
e90b40b6606a0d8b1a45bba9b9dd489e190c188dfa1443eb408727a16bb70382

SHA512
a2f91b15fa82382870614b226127e8c82401f9b625e5f6a983240def2c8a133153b29102df5a19e99ed9b83af39661727b15e07ba72b26e9c0ab03bd042c916a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-33442.exe

Filesize
184KB

MD5
746bfbd3b0a1c85727219c1dd0291723

SHA1
a63befdda7fefa66c616621d34913a82dd63eef2

SHA256
fe7e6fee8bb543c90ecffaf1a6a01a98bb3885dc625512f9c578102c2f45703a

SHA512
d00c7a447495d6dcbbf4f1c5d6fc186900b14d75d2e0de02c1a3181f22f7c03422f8d008dd6864872861ccf3952b72b9611f451438068cad43ec9ec6e8afb515

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-34293.exe

Filesize
184KB

MD5
b5af81acda9aa67a02c15ab9fef58584

SHA1
20963209d29ff94fcde589df82be7cbcd9281df3

SHA256
b5ac0b1f3eb388b3672f0410f44570dea823d190367b7926d183290eb0214fb9

SHA512
67c51b33324931a54d774f2be7b615af71ebcb902595cfa506d1dd1f9436a8595d8250684452650a4035d0553984324dcbced2f0f931c14d76aa4c3255dac9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-34489.exe

Filesize
184KB

MD5
7378d0a6a7b19fefdfdcfd4c3fee91a0

SHA1
c388e14a391d3a5497b1fa8a52f90506b59c35cf

SHA256
4d694226782806774a58f2acfa988cc519ad58f626b41a0988988e8c6d69a5eb

SHA512
61dca492c2704cdb21d9e9796a3fd2c79949d906597da3aa088701de9923503d09701f4cff86e28090848ecc05f459740323eeb8817e2cca77b6cfb82738cd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-34493.exe

Filesize
184KB

MD5
ac10ea229a8f82c7b9e0aecaa690e0d8

SHA1
a68c59197f2659cee2e54acac8a6a91108581201

SHA256
e9f096dec19e18b2cd205041f5f0b18b427e8505aea963e2495eb3a7332de0c9

SHA512
f7ea20d339a89852d50615d00d1bd87e7b49b98fe62ca3aed46c16733d6d1f754ebefed8e716c67efba318e8fe7a300e98316af93f832f94acf9fae6eca23bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-36995.exe

Filesize
184KB

MD5
1f4c7608d899803c7862f0211be2cde4

SHA1
c73b18b4f755915ebfc8f42f967dd5ade08abf30

SHA256
a01e5ccdfc854ce1cc59df7ac8b71114c7f3cfc8046a0ba689a81eee87961b21

SHA512
d5fdab02eae4d5182a9a7d48478880ace9f81d5ec9626f01420353c830ee99f232ae90a8d0c91c42ef16cd19abf8ff9293425c452ec5b56e74ffe1a93088abf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-37042.exe

Filesize
184KB

MD5
35eda1be80fcd6b403f79e4ee7cfdbbc

SHA1
ac0919abf9e54d9f29f6696f57765a9129d231c5

SHA256
b98a8d56db846e5b08fc1c1f8d5fb1997af745a63470d480b98b0cca4d1e3c3a

SHA512
4033c64a8d13bb3a59ce974fe914cd39392b096e745d066ef1057b676695c178d591ec119cdb375298e920df8d4ca6669b5734205ac999d1790860056d4c6de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-38765.exe

Filesize
184KB

MD5
9f6c3b34f6b2089c171ee61f35e1e293

SHA1
e10b4cd35f4e36160f0944195fed13f3ccc36c92

SHA256
3431c775a4598d7a0f7183a18a5bee53944fe5f967728290392442ae5b7a3c89

SHA512
55d920365d0734f8c900c1dcfe1c83191ab48afec226431b19c9e946135d3d2d3f24eca02834a73b7f948427ca63600f1be056e52615074974f6f782cd141a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39917.exe

Filesize
184KB

MD5
5952c918ffaa9c04fe2c01a78053a445

SHA1
8c00a3caee24de2600524c7c4499ade4fbcd762f

SHA256
4597f8020c0924a2bdd5214559e4936baa6fec242fb8fb650c5e8f532eabffbd

SHA512
1db1e2e5b5fca95e39eaeaf12e9801a2d404481a2e7b9cafea35895aeafa73020330087839b00fd9c45e7b77e4ccd8898452d3df8e828d773e98adc7e8e12417

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-41392.exe

Filesize
184KB

MD5
0d457b9d8a689629d07ad9a10744a3a2

SHA1
0b1c67f7941bc7157e16291a4d7972674eb60627

SHA256
577e821af6bf83ea9e9816f670346205bd4270c4316adf695d77eceb2dd48fb3

SHA512
9d72f777b72b6a37afcfb2abce5bf022a35d47ec4c5f617358a8b6fb0adeca05223b3d813ba85458f3988906fa2353808faade68dd151a48521a1a4f947122d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-46270.exe

Filesize
184KB

MD5
3c2466619f824756e0c9a543056306f7

SHA1
d317272f9f66dc23e622b76e6ab03d6d4ba37523

SHA256
dce9106787443f83c12a65f2ffd3186b8ca4161d45f72f194935e055f78d8940

SHA512
8e13da455539c960b78b0dd59433e06dc9ecf6a3d6aa9a32007081e577c4bae66d48ebf6aaec1ab53396e78e0ff2588c89fb74ed11792072a257d58ecbcb52e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-46581.exe

Filesize
184KB

MD5
9f5e3ed0a6ef1b3968e1e1e6fddfeb18

SHA1
a408a21be094be4e114cb2cd38488ed4358f8667

SHA256
5e81d4149ffee95ad4557fa0405d1e33149f8317c812884028824854a95489b6

SHA512
1dd886b0dcc00fbe7a34f60f575eda1f3b450a7867f760cfd8230459d3a18b1d092e30b9a9df954b2255e82343cc5fa4ab35894f0819b9b20c61254c031e6112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-50354.exe

Filesize
184KB

MD5
2be3d907a2b3b48510bd66104b4d1bed

SHA1
51805a690012d875193beaf4e7ef37711c33b6ce

SHA256
9f08c7127add910d3e7f391121a4c956a6c73be5195f2eaa8fcdf96fbff436ad

SHA512
6d8504816fe642f2c07d09135c386281098203f16f12a7c6fa2536bca55912c8505621527d3c0857909e64599c1c7330826fbb4bfe919838645fa75439decf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-51485.exe

Filesize
184KB

MD5
19a7155cac03dba03a080dfadc8edcd3

SHA1
b7908de80aabcc5ecb9f1c46f51e1248db5283ab

SHA256
9ac583520889db26d4098fe44752bef7da8d39c905106577db05c3a628456a4d

SHA512
4af4b9ced2d6348949005d387f03326dabaf306453fc2cda4025f957ddb498c3437895a5de17fed3201d3fed9ea70660b84ec81ddced71f6a52239e943dc586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-52300.exe

Filesize
184KB

MD5
2bbe88083eb6110a8132f5a546f1670d

SHA1
75d966c21bf41aad52314968dd60757fe7b73136

SHA256
0fcdc632af909c4fcd05e4619ed590e0eee739a372a56a5ad3fd5a1773628e55

SHA512
cd31201d154944d92e7203ea65bbdbcdeda8e65d5b4dfa00d45849961eb2c02bf0d988e2c74c4cfffd66cb73034bbb0993131aae0073bf51bdf77307b44dc7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-54718.exe

Filesize
184KB

MD5
bc8f21bae0e6aea454be9764c02bff9c

SHA1
3a8fd1cbf80e78614ca5e335670c31b95329f937

SHA256
5f8c89209a9ad32a34f78bb54640909ae717cf48d444b4a2236dcff0229b064a

SHA512
602ab95e9f9e49c2c4f546642899bd6a7e01c9bfbaf26660884a5aa04d9ed8c4717c731431f6ff37f27df4d71cfb3202516062b760f3aa63ca593131083f4d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-57052.exe

Filesize
184KB

MD5
8be4a0967d0d29a34dd56db2736401a0

SHA1
0a7d918fab86517bdc35b6b38a446c9bc4a77c9a

SHA256
08a6625a663abb00f25814815af0ebdd7be6def7dfe98c6cabff4a41a6a2f3c8

SHA512
a639ae097a39377691df2495b740ce819085c050343d2b008aa7422ea02c352b90f42594bbf9e9cd42cef898704e82f5240ce49397b74e9faf0f68606e5e9439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-57658.exe

Filesize
184KB

MD5
67757e0f8aaefacfd246f1ba3618a6f4

SHA1
bad15477201dbc895fe5816502dcbeb5a781a5de

SHA256
46630ee4ad56e6f7aa8cf290feaa41a0f05cffdc9afde0cec4ed810d5dcc8cc3

SHA512
af07c451b2874a74e0a2552c09aca68d0cf8e364d5520672ce20285495a922a6d2355cc24f36a941fecfe31543276cb253e97b96c37afb29be1fc0693e38eef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-58631.exe

Filesize
184KB

MD5
9b8f57f8858598459aefa792ab1f5c2a

SHA1
85c21fd6ea3a7450f677ac03287090babc669571

SHA256
be8fba55e2233bbd0c8bf79845c0794e1b15c663caeccd155baac8c700443939

SHA512
cd90f559849a3801bbd537cc80e2755212dd5bc3f289bdd584fd7c9c8d5c80cbf94a93d93361461d44fbef8a85f32c6ec5e4e6d11c7ce4b35408b67c3d2af513

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-59243.exe

Filesize
184KB

MD5
2f86f1ef00722441b65d202788ded1fe

SHA1
a81cc57652c62c87506b1217d88d16bdd1012c43

SHA256
ef5ea5782d967cf7ea541c2367a79db3d397d2eb2cccee1b00162372b36834d9

SHA512
9218d4cbff6afcb9d1ab5b1bb35959cfd54cca3416d70c4c741946da8d93429300c21ae62ba119a1281be4f9984652da5eb5cff01d5633e7d0a6deb736f27615

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-61900.exe

Filesize
184KB

MD5
c240541722c788a4309fbddd11f82392

SHA1
e3e337846c5b5c0761749dc8f29f2fa27ded3ad9

SHA256
af72e5b7848cc81c16d583125f4909a083f0ab3efacafae0b44031497bf5e628

SHA512
c7cfb02234efb7d3a591aaa1ecdb49117d4c424a87ad726d1b89da40003c1a45bbafe7ed77bf6f1097be29447f10b9da102abd9bdd3562e28dd97e94662fc32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-64505.exe

Filesize
184KB

MD5
4e5567d7f759ab8171614083f0e8ac0c

SHA1
d4992e13440c31391c4006c90938e2317dbc2915

SHA256
29e48584fa9e966514ac4099f8bdf3350506f3fa41fc578940382063b9f45ebc

SHA512
913833d99961ed03374fb497f366265adb66e5bf248b67e9db45283e3e6af42b97493438490119055d1db6476f3e51695a9825e6382951b6aac020f264357b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6669.exe

Filesize
184KB

MD5
da83bd14bcc31dfa0c283aae0cb9dd4d

SHA1
e87793a620cc29f7294201e11df00cc5cc4f1a27

SHA256
7df49a25a8a4c877baf2717275f070906e60821edf42152085afeafcb62e3a1d

SHA512
79c8133a361eddfc5562126b2a4bc4557d6d03051dd8c2a9533f40e79e1818caa0ad3d4c774e7a523abb923fca5d8b3e758e0463a075ce0607b749e88cf6f5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-8424.exe

Filesize
184KB

MD5
12ffc23ecb2a2c8bab9a59c6f087c284

SHA1
4be00e71851658f9ac3a6a5ab3fab05a9113f4bd

SHA256
2a9d2488cd941c6f51f5ece0054f17a2527ae72c45d0195608917bdc56c2d623

SHA512
bf59c4d1b9cc0da11dcf5ddf36d8e440ebb187827c263832e0c7ed8003d416054bfac8d663740911dee55c3b17af057274f25221cbc4ea6f0d68ce53c5258965

Download Submit
memory/4804-2271-0x00000000751B0000-0x0000000075238000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads