840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
Size

468KB
MD5

952041da6be3d1b7f78d1baac1a92cf8
SHA1

ed6bba60e281c775239482dc2ccfd8fece7e1d4c
SHA256

840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a
SHA512

70ad561e6744b5f4ff137a63f536ee6113a24c90f3c1aa6091f194801adbbe61d2e3419951d42fd28a80e11b5073d7ed859296134ee561f38d2afcfc93b4918c
SSDEEP

3072:WAoCogudjx8U2bYwPz538f5EChjWIpzEmHevVp/VAs3XHM0Djlz:WANoFyU2HP138fs06HVAiXM0D

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2160	Unicorn-23142.exe
2924	Unicorn-35285.exe
2752	Unicorn-31755.exe
2720	Unicorn-29338.exe
2740	Unicorn-57111.exe
2232	Unicorn-11439.exe
1704	Unicorn-55570.exe
2340	Unicorn-29674.exe
1940	Unicorn-39234.exe
3040	Unicorn-19368.exe
2408	Unicorn-39234.exe
756	Unicorn-16759.exe
1352	Unicorn-44148.exe
1424	Unicorn-26873.exe
1244	Unicorn-2368.exe
1976	Unicorn-18705.exe
840	Unicorn-7583.exe
2532	Unicorn-27449.exe
1876	Unicorn-46478.exe
2284	Unicorn-10583.exe
1684	Unicorn-49478.exe
984	Unicorn-50225.exe
1052	Unicorn-31196.exe
1504	Unicorn-19498.exe
2020	Unicorn-64444.exe
2468	Unicorn-7630.exe
2216	Unicorn-13297.exe
2836	Unicorn-9768.exe
2672	Unicorn-56276.exe
1856	Unicorn-53946.exe
2972	Unicorn-23966.exe
3008	Unicorn-62882.exe
1872	Unicorn-41070.exe
2100	Unicorn-3951.exe
2600	Unicorn-8590.exe
2800	Unicorn-59929.exe
580	Unicorn-443.exe
1436	Unicorn-29032.exe
2132	Unicorn-58881.exe
2148	Unicorn-5959.exe
1104	Unicorn-25825.exe
1568	Unicorn-23879.exe
1996	Unicorn-46992.exe
2596	Unicorn-1320.exe
1828	Unicorn-29093.exe
2804	Unicorn-48959.exe
2760	Unicorn-18787.exe
2744	Unicorn-45430.exe
2396	Unicorn-36515.exe
2092	Unicorn-47376.exe
2376	Unicorn-18617.exe
1048	Unicorn-65487.exe
328	Unicorn-23063.exe
2060	Unicorn-59457.exe
1540	Unicorn-27723.exe
1944	Unicorn-43505.exe
2128	Unicorn-52420.exe
1756	Unicorn-3027.exe
1604	Unicorn-18809.exe
2932	Unicorn-13333.exe
2436	Unicorn-39805.exe
3032	Unicorn-22077.exe
2956	Unicorn-54003.exe
3052	Unicorn-718.exe

Loads dropped DLL 64 IoCs

pid	Process
2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
2160	Unicorn-23142.exe
2160	Unicorn-23142.exe
2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
2752	Unicorn-31755.exe
2752	Unicorn-31755.exe
2160	Unicorn-23142.exe
2160	Unicorn-23142.exe
2924	Unicorn-35285.exe
2924	Unicorn-35285.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2720	Unicorn-29338.exe
2720	Unicorn-29338.exe
2752	Unicorn-31755.exe
2752	Unicorn-31755.exe
2924	Unicorn-35285.exe
2740	Unicorn-57111.exe
2924	Unicorn-35285.exe
2740	Unicorn-57111.exe
2232	Unicorn-11439.exe
2232	Unicorn-11439.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
2708	WerFault.exe
1704	Unicorn-55570.exe
2720	Unicorn-29338.exe
1704	Unicorn-55570.exe
2720	Unicorn-29338.exe
3040	Unicorn-19368.exe
3040	Unicorn-19368.exe
2340	Unicorn-29674.exe
2340	Unicorn-29674.exe
2408	Unicorn-39234.exe
2408	Unicorn-39234.exe
2232	Unicorn-11439.exe
2232	Unicorn-11439.exe
1940	Unicorn-39234.exe
1940	Unicorn-39234.exe
2740	Unicorn-57111.exe
2740	Unicorn-57111.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
2992	WerFault.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2868	2520	WerFault.exe	29
2392	2160	WerFault.exe	30
2708	2752	WerFault.exe	32
1084	2924	WerFault.exe	31
1964	2720	WerFault.exe	34
812	2232	WerFault.exe	36
2992	2740	WerFault.exe	35
596	1704	WerFault.exe	38
2084	3040	WerFault.exe	40
2192	2340	WerFault.exe	39
2528	2408	WerFault.exe	42
1924	1940	WerFault.exe	41
2680	756	WerFault.exe	45
2540	1352	WerFault.exe	46
1144	1976	WerFault.exe	49
1304	1876	WerFault.exe	52
3000	2532	WerFault.exe	51
2112	840	WerFault.exe	50
2952	1424	WerFault.exe	47
996	2216	WerFault.exe	63
2248	2468	WerFault.exe	62
2772	1244	WerFault.exe	48
2876	2836	WerFault.exe	64
2640	2284	WerFault.exe	56
2892	1052	WerFault.exe	59
1796	2672	WerFault.exe	65
2120	1684	WerFault.exe	57
1608	2600	WerFault.exe	77
2788	2020	WerFault.exe	61
2072	580	WerFault.exe	79
1660	1856	WerFault.exe	66
2108	1104	WerFault.exe	83
2352	2100	WerFault.exe	76
1720	2132	WerFault.exe	81
2960	2800	WerFault.exe	78
1800	984	WerFault.exe	58
1820	2148	WerFault.exe	82
3108	1504	WerFault.exe	60
3168	3008	WerFault.exe	71
3228	2596	WerFault.exe	86
3248	2972	WerFault.exe	67
3264	1828	WerFault.exe	87
3300	1872	WerFault.exe	73
3416	2396	WerFault.exe	92
3436	2744	WerFault.exe	90
3508	2376	WerFault.exe	95
3604	328	WerFault.exe	101
3744	1540	WerFault.exe	103
3768	2804	WerFault.exe	88
3784	1436	WerFault.exe	80
3920	1696	WerFault.exe	116
3912	2760	WerFault.exe	89
3928	2092	WerFault.exe	93
3156	1568	WerFault.exe	84
3176	1400	WerFault.exe	117
3188	2060	WerFault.exe	102
3212	2128	WerFault.exe	105
3236	1944	WerFault.exe	104
3288	1996	WerFault.exe	85
3104	2436	WerFault.exe	109
3448	1756	WerFault.exe	106
3464	2932	WerFault.exe	108
3468	1048	WerFault.exe	100
3496	2956	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1320.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33628.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3951.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65487.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33628.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36515.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41751.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25353.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34946.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49478.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15815.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10583.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25353.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3041.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18809.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13437.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55034.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41070.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25353.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18283.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60633.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19498.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23966.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3946.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7262.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
2160	Unicorn-23142.exe
2924	Unicorn-35285.exe
2752	Unicorn-31755.exe
2720	Unicorn-29338.exe
2740	Unicorn-57111.exe
2232	Unicorn-11439.exe
1704	Unicorn-55570.exe
2340	Unicorn-29674.exe
3040	Unicorn-19368.exe
2408	Unicorn-39234.exe
1940	Unicorn-39234.exe
756	Unicorn-16759.exe
1352	Unicorn-44148.exe
1424	Unicorn-26873.exe
1244	Unicorn-2368.exe
1976	Unicorn-18705.exe
1876	Unicorn-46478.exe
2532	Unicorn-27449.exe
840	Unicorn-7583.exe
2284	Unicorn-10583.exe
984	Unicorn-50225.exe
1052	Unicorn-31196.exe
1504	Unicorn-19498.exe
1684	Unicorn-49478.exe
2468	Unicorn-7630.exe
2020	Unicorn-64444.exe
2216	Unicorn-13297.exe
2836	Unicorn-9768.exe
2672	Unicorn-56276.exe
1856	Unicorn-53946.exe
2972	Unicorn-23966.exe
3008	Unicorn-62882.exe
1872	Unicorn-41070.exe
2100	Unicorn-3951.exe
2600	Unicorn-8590.exe
2800	Unicorn-59929.exe
580	Unicorn-443.exe
1436	Unicorn-29032.exe
2132	Unicorn-58881.exe
1104	Unicorn-25825.exe
2148	Unicorn-5959.exe
2804	Unicorn-48959.exe
1996	Unicorn-46992.exe
1568	Unicorn-23879.exe
2596	Unicorn-1320.exe
1828	Unicorn-29093.exe
2760	Unicorn-18787.exe
2744	Unicorn-45430.exe
2396	Unicorn-36515.exe
2092	Unicorn-47376.exe
2376	Unicorn-18617.exe
1048	Unicorn-65487.exe
328	Unicorn-23063.exe
2060	Unicorn-59457.exe
1540	Unicorn-27723.exe
1944	Unicorn-43505.exe
2128	Unicorn-52420.exe
1756	Unicorn-3027.exe
1604	Unicorn-18809.exe
2932	Unicorn-13333.exe
2436	Unicorn-39805.exe
2956	Unicorn-54003.exe
3032	Unicorn-22077.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2160	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	30
PID 2520 wrote to memory of 2160	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	30
PID 2520 wrote to memory of 2160	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	30
PID 2520 wrote to memory of 2160	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	30
PID 2160 wrote to memory of 2924	2160	Unicorn-23142.exe	31
PID 2160 wrote to memory of 2924	2160	Unicorn-23142.exe	31
PID 2160 wrote to memory of 2924	2160	Unicorn-23142.exe	31
PID 2160 wrote to memory of 2924	2160	Unicorn-23142.exe	31
PID 2520 wrote to memory of 2752	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	32
PID 2520 wrote to memory of 2752	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	32
PID 2520 wrote to memory of 2752	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	32
PID 2520 wrote to memory of 2752	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	32
PID 2520 wrote to memory of 2868	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	33
PID 2520 wrote to memory of 2868	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	33
PID 2520 wrote to memory of 2868	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	33
PID 2520 wrote to memory of 2868	2520	840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe	33
PID 2752 wrote to memory of 2720	2752	Unicorn-31755.exe	34
PID 2752 wrote to memory of 2720	2752	Unicorn-31755.exe	34
PID 2752 wrote to memory of 2720	2752	Unicorn-31755.exe	34
PID 2752 wrote to memory of 2720	2752	Unicorn-31755.exe	34
PID 2160 wrote to memory of 2740	2160	Unicorn-23142.exe	35
PID 2160 wrote to memory of 2740	2160	Unicorn-23142.exe	35
PID 2160 wrote to memory of 2740	2160	Unicorn-23142.exe	35
PID 2160 wrote to memory of 2740	2160	Unicorn-23142.exe	35
PID 2924 wrote to memory of 2232	2924	Unicorn-35285.exe	36
PID 2924 wrote to memory of 2232	2924	Unicorn-35285.exe	36
PID 2924 wrote to memory of 2232	2924	Unicorn-35285.exe	36
PID 2924 wrote to memory of 2232	2924	Unicorn-35285.exe	36
PID 2160 wrote to memory of 2392	2160	Unicorn-23142.exe	37
PID 2160 wrote to memory of 2392	2160	Unicorn-23142.exe	37
PID 2160 wrote to memory of 2392	2160	Unicorn-23142.exe	37
PID 2160 wrote to memory of 2392	2160	Unicorn-23142.exe	37
PID 2720 wrote to memory of 1704	2720	Unicorn-29338.exe	38
PID 2720 wrote to memory of 1704	2720	Unicorn-29338.exe	38
PID 2720 wrote to memory of 1704	2720	Unicorn-29338.exe	38
PID 2720 wrote to memory of 1704	2720	Unicorn-29338.exe	38
PID 2752 wrote to memory of 2340	2752	Unicorn-31755.exe	39
PID 2752 wrote to memory of 2340	2752	Unicorn-31755.exe	39
PID 2752 wrote to memory of 2340	2752	Unicorn-31755.exe	39
PID 2752 wrote to memory of 2340	2752	Unicorn-31755.exe	39
PID 2740 wrote to memory of 1940	2740	Unicorn-57111.exe	41
PID 2740 wrote to memory of 1940	2740	Unicorn-57111.exe	41
PID 2740 wrote to memory of 1940	2740	Unicorn-57111.exe	41
PID 2740 wrote to memory of 1940	2740	Unicorn-57111.exe	41
PID 2924 wrote to memory of 3040	2924	Unicorn-35285.exe	40
PID 2924 wrote to memory of 3040	2924	Unicorn-35285.exe	40
PID 2924 wrote to memory of 3040	2924	Unicorn-35285.exe	40
PID 2924 wrote to memory of 3040	2924	Unicorn-35285.exe	40
PID 2232 wrote to memory of 2408	2232	Unicorn-11439.exe	42
PID 2232 wrote to memory of 2408	2232	Unicorn-11439.exe	42
PID 2232 wrote to memory of 2408	2232	Unicorn-11439.exe	42
PID 2232 wrote to memory of 2408	2232	Unicorn-11439.exe	42
PID 2752 wrote to memory of 2708	2752	Unicorn-31755.exe	43
PID 2752 wrote to memory of 2708	2752	Unicorn-31755.exe	43
PID 2752 wrote to memory of 2708	2752	Unicorn-31755.exe	43
PID 2752 wrote to memory of 2708	2752	Unicorn-31755.exe	43
PID 2924 wrote to memory of 1084	2924	Unicorn-35285.exe	44
PID 2924 wrote to memory of 1084	2924	Unicorn-35285.exe	44
PID 2924 wrote to memory of 1084	2924	Unicorn-35285.exe	44
PID 2924 wrote to memory of 1084	2924	Unicorn-35285.exe	44
PID 1704 wrote to memory of 756	1704	Unicorn-55570.exe	45
PID 1704 wrote to memory of 756	1704	Unicorn-55570.exe	45
PID 1704 wrote to memory of 756	1704	Unicorn-55570.exe	45
PID 1704 wrote to memory of 756	1704	Unicorn-55570.exe	45

C:\Users\Admin\AppData\Local\Temp\840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe
"C:\Users\Admin\AppData\Local\Temp\840efa5f63a9daab1ff566c1975a5b77bdd784e6879a86600c4a46956ad9f37a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\Unicorn-23142.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-23142.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-35285.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-35285.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11439.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11439.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39234.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2408
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18705.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18705.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13297.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13297.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3951.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3951.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65487.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65487.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16775.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16775.exe
        10⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 220
        11⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 236
        10⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 236
        9⤵
        Program crash
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23063.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        9⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        10⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54992.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54992.exe
        11⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48101.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48101.exe
        12⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51282.exe
        13⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        14⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 236
        13⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 216
        12⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 236
        11⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 216
        10⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 216
        9⤵
        Program crash
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 240
        8⤵
        Program crash
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59929.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18809.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18809.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8990.exe
        9⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40602.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40602.exe
        10⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1038.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1038.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43213.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43213.exe
        12⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 216
        12⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 216
        11⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 236
        10⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 236
        9⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 236
        8⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 240
        7⤵
        Program crash
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9768.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9768.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27723.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        9⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31111.exe
        10⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49123.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43208.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43208.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 216
        11⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 216
        10⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 216
        9⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 236
        8⤵
        Program crash
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 236
        7⤵
        Program crash
        
        PID:2876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 240
        6⤵
        Program crash
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7583.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56276.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56276.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23879.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32488.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32488.exe
        8⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8876.exe
        9⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33005.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46814.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46814.exe
        11⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        12⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 236
        11⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 236
        10⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 236
        9⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 236
        8⤵
        Program crash
        
        PID:3156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 236
        7⤵
        Program crash
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29093.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29093.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38243.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38243.exe
        7⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        8⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8059.exe
        9⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12714.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12714.exe
        10⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21236.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21236.exe
        11⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 216
        11⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 216
        10⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 216
        9⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 236
        8⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 236
        7⤵
        Program crash
        
        PID:3264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 240
        6⤵
        Program crash
        
        PID:2112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:812
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19368.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19368.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26873.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26873.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31196.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48959.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        8⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        9⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18283.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18283.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60545.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60545.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55034.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55034.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        13⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 236
        12⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 216
        11⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 216
        10⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 216
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 236
        8⤵
        Program crash
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 236
        7⤵
        Program crash
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45430.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45430.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        7⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47063.exe
        9⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37987.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37987.exe
        10⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7748.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7748.exe
        11⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 236
        11⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 236
        10⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 216
        9⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 236
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 236
        7⤵
        Program crash
        
        PID:3436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 240
        6⤵
        Program crash
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19498.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19498.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25825.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25825.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39805.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39805.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3946.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33628.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33628.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-794.exe
        11⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 216
        11⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 216
        10⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 216
        9⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 216
        8⤵
        Program crash
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 236
        7⤵
        Program crash
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22077.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        7⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14198.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14198.exe
        8⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12714.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12714.exe
        9⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-794.exe
        10⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 236
        10⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 236
        9⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 216
        8⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 216
        7⤵
        
        PID:3820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 240
        6⤵
        Program crash
        
        PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 240
        5⤵
        Program crash
        
        PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1084
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57111.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57111.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39234.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39234.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27449.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8590.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59457.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30205.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30205.exe
        8⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        9⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33628.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33628.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25128.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25128.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 236
        11⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 216
        10⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 236
        9⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 236
        8⤵
        Program crash
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 236
        7⤵
        Program crash
        
        PID:1608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 236
        6⤵
        Program crash
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23966.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23966.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58881.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58881.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54003.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54003.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41663.exe
        8⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11292.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11292.exe
        9⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9206.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9206.exe
        10⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20930.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20930.exe
        11⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 216
        10⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 236
        9⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 236
        8⤵
        Program crash
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 236
        7⤵
        Program crash
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15663.exe
        6⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        7⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 212
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 216
        7⤵
        
        PID:3612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 240
        6⤵
        Program crash
        
        PID:3248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 240
        5⤵
        Program crash
        
        PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46478.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46478.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53946.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13333.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13333.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12114.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12114.exe
        7⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63020.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54432.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54432.exe
        9⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4987.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4987.exe
        10⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 236
        10⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 236
        9⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 236
        8⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 236
        7⤵
        Program crash
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 216
        6⤵
        Program crash
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46992.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46992.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41751.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41751.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7407.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7407.exe
        7⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42680.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35659.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35659.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25844.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25844.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40177.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40177.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 216
        11⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 236
        10⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 236
        9⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 216
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 216
        7⤵
        Program crash
        
        PID:3920
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57739.exe
        6⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41165.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41165.exe
        7⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61100.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61100.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3041.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42606.exe
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 216
        9⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 216
        8⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 216
        7⤵
        
        PID:5048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 240
        6⤵
        Program crash
        
        PID:3288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 220
        5⤵
        Program crash
        
        PID:1304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\Unicorn-31755.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-31755.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29338.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29338.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55570.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55570.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16759.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16759.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:756
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10583.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62882.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62882.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36515.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36515.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49234.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        10⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 212
        11⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 236
        10⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 216
        9⤵
        Program crash
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13032.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13032.exe
        8⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3975.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3975.exe
        10⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52761.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52761.exe
        11⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2460.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2460.exe
        12⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 216
        12⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 236
        11⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 216
        10⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 236
        9⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 240
        8⤵
        Program crash
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47376.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47376.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38134.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38134.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42680.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42680.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7348.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7348.exe
        10⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62683.exe
        11⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39990.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39990.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20240.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20240.exe
        13⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 236
        12⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 236
        11⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 236
        10⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 216
        9⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 236
        8⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 240
        7⤵
        Program crash
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41070.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41070.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18617.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18617.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        8⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        9⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 220
        10⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 216
        9⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 236
        8⤵
        Program crash
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59109.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59109.exe
        7⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 240
        9⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 236
        8⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 240
        7⤵
        Program crash
        
        PID:3300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 240
        6⤵
        Program crash
        
        PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50225.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50225.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-443.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-443.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43505.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49063.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49063.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33521.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33521.exe
        9⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        10⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12470.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12470.exe
        11⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 236
        11⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 216
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 216
        9⤵
        
        PID:288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 216
        8⤵
        Program crash
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 236
        7⤵
        Program crash
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3027.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60137.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60137.exe
        7⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52486.exe
        9⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34946.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34946.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 216
        10⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 216
        9⤵
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 236
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 216
        7⤵
        Program crash
        
        PID:3448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 240
        6⤵
        Program crash
        
        PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 240
        5⤵
        Program crash
        
        PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44148.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44148.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49478.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49478.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52420.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52420.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7262.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7589.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7589.exe
        8⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35574.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35574.exe
        9⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24552.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 216
        10⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 236
        9⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 236
        8⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 236
        7⤵
        Program crash
        
        PID:3212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 236
        6⤵
        Program crash
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5959.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5959.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-718.exe
        6⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26204.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26204.exe
        7⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16145.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16145.exe
        8⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2600.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2600.exe
        9⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46451.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46451.exe
        10⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 236
        10⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 236
        9⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 216
        8⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 236
        7⤵
        
        PID:3360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 236
        6⤵
        Program crash
        
        PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 240
        5⤵
        Program crash
        
        PID:2540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29674.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29674.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2368.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2368.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64444.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64444.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1320.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1320.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29499.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29499.exe
        7⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 220
        9⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 216
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 236
        7⤵
        Program crash
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51050.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51050.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15815.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15815.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25353.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50540.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50540.exe
        9⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-218.exe
        10⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 236
        10⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 216
        9⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 216
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 236
        7⤵
        Program crash
        
        PID:3176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 240
        6⤵
        Program crash
        
        PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18787.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7407.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7407.exe
        6⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20662.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20662.exe
        7⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60633.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60633.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56653.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56653.exe
        9⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61588.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61588.exe
        10⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 236
        10⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 236
        9⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 220
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 216
        7⤵
        
        PID:4616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 216
        6⤵
        Program crash
        
        PID:3912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 240
        5⤵
        Program crash
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7630.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7630.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29032.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29032.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13437.exe
        6⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25218.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47255.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47255.exe
        8⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58215.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58215.exe
        9⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7748.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7748.exe
        10⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 236
        10⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 216
        9⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 216
        8⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 216
        7⤵
        
        PID:4040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 236
        6⤵
        Program crash
        
        PID:3784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 236
        5⤵
        Program crash
        
        PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 240
      4⤵
      Program crash
      PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 240
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 240
  2⤵
  - Program crash
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-31755.exe

Filesize
468KB

MD5
9a8a947480dbd3b51aee4259fad9e863

SHA1
161802a1dad959f0eee0ef6314fff83edd9ded57

SHA256
f1317bf28b8f301625037806dbc564cf22b65856c31df56083626d4bbbb83dc7

SHA512
bb21618f21536d772426b1dca0ce68d140a71f49ee442ef81cb78ac3a6e3e454e3bf36df2ac91f69dddb68742561075c671befadf8a58b729f305f7596572dd8

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11439.exe

Filesize
468KB

MD5
025db737f264620d86a0b3c9a709228e

SHA1
9ff04bb40451cdca43ba4c242c6a1960ece529b6

SHA256
e3d7c0a89d1c14bc67549b9222716c65c2c8aae971879c6c3558773b2a5b4974

SHA512
380d5d324f0200676dd572f56a579b7b39a77c9aa51fbd8704662cf84d6cc909cb5e145a91398fc49e4ea25218b9324c5d1d646761fa86675ac172a1be75badf

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-16759.exe

Filesize
468KB

MD5
a8ef098c9c86f7005701e03eb0e651d7

SHA1
49d1653b424fa8b6c09e9e20bcb619ecd593f16b

SHA256
16e695279b6bb00a1d152d027cbd95627670cba47ac9a6b94d82360cfd20e376

SHA512
ffafa6676472fe59d883a9b345f4de4b14205043e8c86215219b0191ba0f557e20f9375ff639cda4906e93cf04df914526aa56ace4486fe26155b929bc36b6ee

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-19368.exe

Filesize
468KB

MD5
1c3b88ec73cc613647eb3f234dcfd9b0

SHA1
36a7727873cd01e8bef2f526c8bf383b4d80a0f3

SHA256
4cd256a3479e18a5799262b4337fe2b0382de0cb46c425da43be3319e8bcc185

SHA512
466755b3742eb1934ef0d473b58ff1d2faece3e3f3da6ff6fa220f5e0e9caa51249bc0d5f59678c653bc3a4bd68d138bc3a17e2e699bc95c7ebb58b765cf442d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-23142.exe

Filesize
468KB

MD5
a48ac8b71cd24eaf11629adcbce59c20

SHA1
06671cc686f6bbb76ddd8830aa10edb919299fbe

SHA256
0820c962ca129d1953eaf6d01f84b1cc5da167462b351c7a2f2f646341ca54c9

SHA512
06f5cdefceba1c004543f37c6e8e74ff1655602aa6bce3d21d75dbae9b550b14130615ea93717c66c1ebca528e07d02f097d8751e0e3c1aa739b269f7e537eb9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-26873.exe

Filesize
468KB

MD5
b5fde6f8f55e0ac30613f34ec8261cf3

SHA1
f14783c602033b3b2264b7c606789ed4aa20f832

SHA256
7133d7e807df77c7c1b73ce73941e31a267c28609eabaf5d7f131f52f0b009ab

SHA512
e73267d0506f541f050698c43585c96454f72a593a7cb7fef6c883f6aefb312e03155af29f1012396ffe3759830dee49870ab185c07df6e027ee2df10260e239

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29338.exe

Filesize
468KB

MD5
2b73887d201ddfe646655a6ca69c6ff5

SHA1
efe1efe6efd6cacab07d3a628cb8d02f95645b97

SHA256
ac361b805069c0210f20000f12f1fb596a570ec0140aa65b67051408c3f3b772

SHA512
431a521de81094ac0041ee13987f5ac96f1cb18989ae5edbc363f19a0df7a014bb3c56cab3cfd51ae5f8a7bc9c493093f33ed5a4c0e22c8c4947488069fb257d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-29674.exe

Filesize
468KB

MD5
e17b77f9b54e9ca70485233f39740c38

SHA1
798169a44a307dbcdee047723903b7fe72ad82f5

SHA256
6f7aada260c1b0feabf1ad6cc327c66b790a7290a19e43032bd3240dfd2b7663

SHA512
d496756c196925af5a1c06f1491a43148e280d7f9b333af4b530e15012559ec056b465b592ce0d45d23bd9705824b0c5f533cceefff51c85573a16ba0212cc3b

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-35285.exe

Filesize
468KB

MD5
4320f519e11f0e18629fed8232e9f5c4

SHA1
279a0994116fdb490251f7d6da90b69e9ff0bac0

SHA256
df5d2b2364c391a2c5e65da2ef817409e988f93b7ec184eaaf1b993967811072

SHA512
9358c329d127c308afc0226ec00f8a79b873d86721ba224aa05f80ea22f9dccb9d06df6ab13555e545f342fbacaede5b16cc150006ee373fa301e8b2c4fdca43

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-39234.exe

Filesize
468KB

MD5
5439330de7aea79fc66efb4786700ab8

SHA1
c871b9c4956ea733eaf39e5dc884e01d22a09864

SHA256
dad4cb3ed1fd51b8cb130bb3edbddc52234476e3cf0e136199f517f61b04bc90

SHA512
4909f490541dd050f6d953003866b0ef8a61689255debe4480d3b4f560c589244fd6029bc95e3bfeeb3314ed94d1fa2f56ecdb667bc78d6884519cfefb0a06ad

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-44148.exe

Filesize
468KB

MD5
09458fa68efec308db03b187cdae756e

SHA1
05cf616a8e5ef8fe6af6bae949aef40056b9fb70

SHA256
ae6ab5c2ba8cb27e39b62b0f7f6c51adfb9675386e1687fdc6c9df38e54ef818

SHA512
541ef5b3d3c081c19e826178fdcbd121a7c1a04d4b019a4041babbfea6f73ac1447ec4879ba661d19afa99181ff9263d4b1dff5b7e77c7f4140fa43419420796

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-55570.exe

Filesize
468KB

MD5
cd70222dde3d5994a0f487dc7478f53c

SHA1
64487311452a9cbea4e266df5996b81d50330280

SHA256
8fe697e979931179787c5057dce02465f00ba8b7b888ff5eef0fdbd6a9d5cc2a

SHA512
4381431935888a46e38d398a196ff285759fc3d92f8d835e782644f7a727c11bb176a568e3fe7444d4edcbfdaa5435d0d108ba7e8b2c9160f7271b6235ae8fb5

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-57111.exe

Filesize
468KB

MD5
4194106398a415f0a09730b942c1d34f

SHA1
cb3e0f3cd0663970c7f281da4339a81ca032338f

SHA256
a449152f6b5b0e07805a42e4e7e3cd5afe5a0af8de7a08ec60f22ce40badf55e

SHA512
468b90d7040c03dda61eddc5de62027eb966bf91db3fd747ff54d8c84525f99b3c5632137d99cc8044191dd3497b86361d5c5b21d97c6d0b2fd3dbb5c4c0d477

Download Submit
memory/580-394-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/756-441-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/756-227-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/756-230-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/840-316-0x0000000000520000-0x0000000000595000-memory.dmp

Filesize
468KB

Download
memory/840-310-0x0000000000520000-0x0000000000595000-memory.dmp

Filesize
468KB

Download
memory/984-393-0x0000000002460000-0x00000000024D5000-memory.dmp

Filesize
468KB

Download
memory/984-246-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1104-433-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1244-183-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1244-270-0x00000000024C0000-0x0000000002535000-memory.dmp

Filesize
468KB

Download
memory/1352-425-0x0000000001DA0000-0x0000000001E15000-memory.dmp

Filesize
468KB

Download
memory/1352-424-0x0000000001DA0000-0x0000000001E15000-memory.dmp

Filesize
468KB

Download
memory/1352-233-0x0000000001DA0000-0x0000000001E15000-memory.dmp

Filesize
468KB

Download
memory/1424-247-0x00000000024E0000-0x0000000002555000-memory.dmp

Filesize
468KB

Download
memory/1424-252-0x00000000024E0000-0x0000000002555000-memory.dmp

Filesize
468KB

Download
memory/1436-405-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1504-434-0x0000000001D50000-0x0000000001DC5000-memory.dmp

Filesize
468KB

Download
memory/1504-432-0x0000000001D50000-0x0000000001DC5000-memory.dmp

Filesize
468KB

Download
memory/1504-261-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1568-445-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1704-159-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1704-392-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1704-144-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1704-245-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1704-243-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1856-326-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1872-356-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1876-323-0x0000000002930000-0x00000000029A5000-memory.dmp

Filesize
468KB

Download
memory/1876-448-0x0000000002930000-0x00000000029A5000-memory.dmp

Filesize
468KB

Download
memory/1876-460-0x0000000002930000-0x00000000029A5000-memory.dmp

Filesize
468KB

Download
memory/1940-115-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1940-412-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1940-209-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1940-204-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/1976-295-0x0000000002680000-0x00000000026F5000-memory.dmp

Filesize
468KB

Download
memory/1976-296-0x0000000002680000-0x00000000026F5000-memory.dmp

Filesize
468KB

Download
memory/1976-379-0x0000000002680000-0x00000000026F5000-memory.dmp

Filesize
468KB

Download
memory/2020-272-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2020-461-0x00000000026A0000-0x0000000002715000-memory.dmp

Filesize
468KB

Download
memory/2020-449-0x00000000026A0000-0x0000000002715000-memory.dmp

Filesize
468KB

Download
memory/2100-366-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2132-413-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2148-427-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2160-52-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2160-306-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2160-17-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2216-297-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-197-0x00000000025C0000-0x0000000002635000-memory.dmp

Filesize
468KB

Download
memory/2232-373-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2284-231-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2284-346-0x0000000001F70000-0x0000000001FE5000-memory.dmp

Filesize
468KB

Download
memory/2340-182-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2340-281-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2340-279-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2340-181-0x0000000002660000-0x00000000026D5000-memory.dmp

Filesize
468KB

Download
memory/2340-403-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2408-305-0x0000000002450000-0x00000000024C5000-memory.dmp

Filesize
468KB

Download
memory/2408-192-0x0000000002450000-0x00000000024C5000-memory.dmp

Filesize
468KB

Download
memory/2408-307-0x0000000002450000-0x00000000024C5000-memory.dmp

Filesize
468KB

Download
memory/2408-426-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2408-187-0x0000000002450000-0x00000000024C5000-memory.dmp

Filesize
468KB

Download
memory/2468-282-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2520-324-0x0000000001CC0000-0x0000000001D35000-memory.dmp

Filesize
468KB

Download
memory/2520-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2520-271-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2520-6-0x0000000001CC0000-0x0000000001D35000-memory.dmp

Filesize
468KB

Download
memory/2520-32-0x0000000001CC0000-0x0000000001D35000-memory.dmp

Filesize
468KB

Download
memory/2520-27-0x0000000001CC0000-0x0000000001D35000-memory.dmp

Filesize
468KB

Download
memory/2532-208-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2600-374-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2672-317-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2672-442-0x0000000002580000-0x00000000025F5000-memory.dmp

Filesize
468KB

Download
memory/2720-355-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2720-457-0x0000000002920000-0x0000000002995000-memory.dmp

Filesize
468KB

Download
memory/2720-154-0x0000000002920000-0x0000000002995000-memory.dmp

Filesize
468KB

Download
memory/2720-81-0x0000000003450000-0x00000000034C5000-memory.dmp

Filesize
468KB

Download
memory/2720-383-0x0000000003450000-0x00000000034C5000-memory.dmp

Filesize
468KB

Download
memory/2720-162-0x0000000002920000-0x0000000002995000-memory.dmp

Filesize
468KB

Download
memory/2740-364-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2740-210-0x0000000002690000-0x0000000002705000-memory.dmp

Filesize
468KB

Download
memory/2740-215-0x0000000002690000-0x0000000002705000-memory.dmp

Filesize
468KB

Download
memory/2752-42-0x00000000027C0000-0x0000000002835000-memory.dmp

Filesize
468KB

Download
memory/2752-92-0x00000000027C0000-0x0000000002835000-memory.dmp

Filesize
468KB

Download
memory/2752-328-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2800-384-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2836-308-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2924-318-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2924-62-0x0000000002650000-0x00000000026C5000-memory.dmp

Filesize
468KB

Download
memory/2972-332-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3008-347-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3040-117-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3040-169-0x0000000001E50000-0x0000000001EC5000-memory.dmp

Filesize
468KB

Download
memory/3040-260-0x0000000001E50000-0x0000000001EC5000-memory.dmp

Filesize
468KB

Download
memory/3040-404-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3040-255-0x0000000001E50000-0x0000000001EC5000-memory.dmp

Filesize
468KB

Download