5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
Size

468KB
MD5

438668444a6a6652708db54afb8d4ac5
SHA1

bc43cb4343d78f89a83614feb8f20115e41003e9
SHA256

5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a
SHA512

f0fc5ccd40a35e945407a53c54abfe7076cf6d358687bde0fb434caa5f2c8a509c718edf51e960bf67ab17d52ec7805c4f4a645b326ddf505ccf3af7f12423d0
SSDEEP

3072:uG3HogISIE5TtbY2HzcOcf8/vChaP0p2JVHeTVPVb7qL67tgEElL:uG3obMTtxH4OcfSYHTb7s4tgE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2156	Unicorn-49286.exe
1716	Unicorn-11543.exe
1720	Unicorn-14236.exe
2824	Unicorn-32047.exe
2828	Unicorn-64811.exe
3020	Unicorn-1320.exe
2176	Unicorn-16265.exe
2628	Unicorn-11709.exe
2188	Unicorn-17474.exe
840	Unicorn-44382.exe
2848	Unicorn-9571.exe
2964	Unicorn-53218.exe
2956	Unicorn-39482.exe
2832	Unicorn-59348.exe
780	Unicorn-8777.exe
1488	Unicorn-42004.exe
1540	Unicorn-14807.exe
1340	Unicorn-27065.exe
656	Unicorn-46110.exe
3048	Unicorn-11299.exe
988	Unicorn-3131.exe
2584	Unicorn-22160.exe
2456	Unicorn-60043.exe
2040	Unicorn-44527.exe
2464	Unicorn-21414.exe
844	Unicorn-7115.exe
1976	Unicorn-13245.exe
2528	Unicorn-56779.exe
620	Unicorn-6722.exe
1932	Unicorn-21113.exe
2392	Unicorn-1247.exe
1972	Unicorn-60639.exe
2208	Unicorn-31959.exe
816	Unicorn-3925.exe
1856	Unicorn-43249.exe
2816	Unicorn-3178.exe
2820	Unicorn-13484.exe
2960	Unicorn-11901.exe
2916	Unicorn-35851.exe
2504	Unicorn-30375.exe
2132	Unicorn-15430.exe
2928	Unicorn-48658.exe
2172	Unicorn-59593.exe
2868	Unicorn-29629.exe
2992	Unicorn-21461.exe
764	Unicorn-37889.exe
2840	Unicorn-43754.exe
1896	Unicorn-43203.exe
1560	Unicorn-28259.exe
444	Unicorn-45150.exe
1648	Unicorn-65015.exe
1484	Unicorn-58885.exe
2200	Unicorn-50717.exe
2372	Unicorn-27382.exe
1548	Unicorn-30650.exe
1620	Unicorn-60822.exe
1396	Unicorn-45041.exe
2084	Unicorn-30096.exe
2044	Unicorn-64806.exe
1864	Unicorn-5399.exe
2076	Unicorn-17551.exe
2212	Unicorn-25820.exe
1696	Unicorn-47921.exe
2224	Unicorn-48186.exe

Loads dropped DLL 64 IoCs

pid	Process
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2156	Unicorn-49286.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2156	Unicorn-49286.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
1716	Unicorn-11543.exe
1716	Unicorn-11543.exe
1720	Unicorn-14236.exe
1720	Unicorn-14236.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2156	Unicorn-49286.exe
2156	Unicorn-49286.exe
2828	Unicorn-64811.exe
2828	Unicorn-64811.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2176	Unicorn-16265.exe
2176	Unicorn-16265.exe
2824	Unicorn-32047.exe
2824	Unicorn-32047.exe
2156	Unicorn-49286.exe
1720	Unicorn-14236.exe
2156	Unicorn-49286.exe
1720	Unicorn-14236.exe
3020	Unicorn-1320.exe
3020	Unicorn-1320.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2628	Unicorn-11709.exe
2628	Unicorn-11709.exe
2828	Unicorn-64811.exe
2828	Unicorn-64811.exe
2188	Unicorn-17474.exe
2188	Unicorn-17474.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2832	Unicorn-59348.exe
2832	Unicorn-59348.exe
2964	Unicorn-53218.exe
2964	Unicorn-53218.exe
840	Unicorn-44382.exe
840	Unicorn-44382.exe
3020	Unicorn-1320.exe
3020	Unicorn-1320.exe
2156	Unicorn-49286.exe
2156	Unicorn-49286.exe
2176	Unicorn-16265.exe
2176	Unicorn-16265.exe
2956	Unicorn-39482.exe
2956	Unicorn-39482.exe
1720	Unicorn-14236.exe
1720	Unicorn-14236.exe
2848	Unicorn-9571.exe
2848	Unicorn-9571.exe
2824	Unicorn-32047.exe
2824	Unicorn-32047.exe
780	Unicorn-8777.exe
780	Unicorn-8777.exe
1488	Unicorn-42004.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2124	1716	WerFault.exe	31
2656	2456	WerFault.exe	53
2860	844	WerFault.exe	56
1640	2040	WerFault.exe	54
2968	2928	WerFault.exe	75
3000	2916	WerFault.exe	70
1884	1540	WerFault.exe	47
1688	444	WerFault.exe	85
2236	2132	WerFault.exe	72
2724	2392	WerFault.exe	62
2980	656	WerFault.exe	49
2404	1548	WerFault.exe	89
2616	620	WerFault.exe	60
2152	2748	WerFault.exe	102
2304	2232	WerFault.exe	129
1196	2380	WerFault.exe	126
2792	2960	WerFault.exe	69
3152	2920	WerFault.exe	128
3740	1484	WerFault.exe	86
3732	1856	WerFault.exe	66
3980	2312	WerFault.exe	125
3264	3044	WerFault.exe	139
3640	2996	WerFault.exe	148
3916	2292	WerFault.exe	137
3372	3796	WerFault.exe	206
4016	1748	WerFault.exe	157
3204	2076	WerFault.exe	95
3676	1932	WerFault.exe	61
3608	2988	WerFault.exe	107
3768	764	WerFault.exe	79
3836	2628	WerFault.exe	37
4072	2820	WerFault.exe	68
3432	2868	WerFault.exe	76
3816	1620	WerFault.exe	90
4112	2744	WerFault.exe	100
3340	1880	WerFault.exe	123
4100	1696	WerFault.exe	97
4160	2612	WerFault.exe	159
4172	500	WerFault.exe	163
4200	1740	WerFault.exe	179
4180	2296	WerFault.exe	173
4232	1828	WerFault.exe	150
4240	1492	WerFault.exe	156
4224	1180	WerFault.exe	154
4216	3016	WerFault.exe	166
4208	108	WerFault.exe	168
4544	2652	WerFault.exe	105
4404	2848	WerFault.exe	40
4332	2584	WerFault.exe	52
3352	3048	WerFault.exe	50
4292	2300	WerFault.exe	120
4188	1972	WerFault.exe	63
4136	2816	WerFault.exe	67
4532	2952	WerFault.exe	110
4512	2668	WerFault.exe	106
4500	1048	WerFault.exe	116
4476	2148	WerFault.exe	112
4436	2032	WerFault.exe	124
4428	1016	WerFault.exe	114
5000	540	WerFault.exe	134
4976	796	WerFault.exe	132
5184	2028	WerFault.exe	135
5200	2688	WerFault.exe	147
5364	2752	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21657.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16458.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22502.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62244.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23866.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26950.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40329.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1117.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-61547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43504.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6722.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27382.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-17551.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10565.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3178.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60220.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31798.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19908.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-30439.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43195.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-65510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-36083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48706.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47921.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
2156	Unicorn-49286.exe
1716	Unicorn-11543.exe
1720	Unicorn-14236.exe
2828	Unicorn-64811.exe
2824	Unicorn-32047.exe
2176	Unicorn-16265.exe
3020	Unicorn-1320.exe
2628	Unicorn-11709.exe
2188	Unicorn-17474.exe
840	Unicorn-44382.exe
2964	Unicorn-53218.exe
2848	Unicorn-9571.exe
2832	Unicorn-59348.exe
2956	Unicorn-39482.exe
780	Unicorn-8777.exe
1488	Unicorn-42004.exe
1540	Unicorn-14807.exe
1340	Unicorn-27065.exe
656	Unicorn-46110.exe
3048	Unicorn-11299.exe
988	Unicorn-3131.exe
2584	Unicorn-22160.exe
2456	Unicorn-60043.exe
844	Unicorn-7115.exe
2040	Unicorn-44527.exe
2464	Unicorn-21414.exe
1976	Unicorn-13245.exe
2528	Unicorn-56779.exe
620	Unicorn-6722.exe
1932	Unicorn-21113.exe
2392	Unicorn-1247.exe
2208	Unicorn-31959.exe
1972	Unicorn-60639.exe
816	Unicorn-3925.exe
2816	Unicorn-3178.exe
1856	Unicorn-43249.exe
2820	Unicorn-13484.exe
2960	Unicorn-11901.exe
2916	Unicorn-35851.exe
2132	Unicorn-15430.exe
2504	Unicorn-30375.exe
2928	Unicorn-48658.exe
2172	Unicorn-59593.exe
2868	Unicorn-29629.exe
764	Unicorn-37889.exe
2840	Unicorn-43754.exe
1896	Unicorn-43203.exe
1560	Unicorn-28259.exe
2992	Unicorn-21461.exe
1484	Unicorn-58885.exe
1648	Unicorn-65015.exe
444	Unicorn-45150.exe
2200	Unicorn-50717.exe
1548	Unicorn-30650.exe
2372	Unicorn-27382.exe
2084	Unicorn-30096.exe
1620	Unicorn-60822.exe
1396	Unicorn-45041.exe
2044	Unicorn-64806.exe
1864	Unicorn-5399.exe
2076	Unicorn-17551.exe
2212	Unicorn-25820.exe
1696	Unicorn-47921.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2156	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	30
PID 2432 wrote to memory of 2156	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	30
PID 2432 wrote to memory of 2156	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	30
PID 2432 wrote to memory of 2156	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	30
PID 2156 wrote to memory of 1716	2156	Unicorn-49286.exe	31
PID 2156 wrote to memory of 1716	2156	Unicorn-49286.exe	31
PID 2156 wrote to memory of 1716	2156	Unicorn-49286.exe	31
PID 2156 wrote to memory of 1716	2156	Unicorn-49286.exe	31
PID 2432 wrote to memory of 1720	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	32
PID 2432 wrote to memory of 1720	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	32
PID 2432 wrote to memory of 1720	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	32
PID 2432 wrote to memory of 1720	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	32
PID 1716 wrote to memory of 2824	1716	Unicorn-11543.exe	33
PID 1716 wrote to memory of 2824	1716	Unicorn-11543.exe	33
PID 1716 wrote to memory of 2824	1716	Unicorn-11543.exe	33
PID 1716 wrote to memory of 2824	1716	Unicorn-11543.exe	33
PID 1720 wrote to memory of 3020	1720	Unicorn-14236.exe	34
PID 1720 wrote to memory of 3020	1720	Unicorn-14236.exe	34
PID 1720 wrote to memory of 3020	1720	Unicorn-14236.exe	34
PID 1720 wrote to memory of 3020	1720	Unicorn-14236.exe	34
PID 2432 wrote to memory of 2828	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	35
PID 2432 wrote to memory of 2828	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	35
PID 2432 wrote to memory of 2828	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	35
PID 2432 wrote to memory of 2828	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	35
PID 2156 wrote to memory of 2176	2156	Unicorn-49286.exe	36
PID 2156 wrote to memory of 2176	2156	Unicorn-49286.exe	36
PID 2156 wrote to memory of 2176	2156	Unicorn-49286.exe	36
PID 2156 wrote to memory of 2176	2156	Unicorn-49286.exe	36
PID 2828 wrote to memory of 2628	2828	Unicorn-64811.exe	37
PID 2828 wrote to memory of 2628	2828	Unicorn-64811.exe	37
PID 2828 wrote to memory of 2628	2828	Unicorn-64811.exe	37
PID 2828 wrote to memory of 2628	2828	Unicorn-64811.exe	37
PID 2432 wrote to memory of 2188	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	38
PID 2432 wrote to memory of 2188	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	38
PID 2432 wrote to memory of 2188	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	38
PID 2432 wrote to memory of 2188	2432	5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe	38
PID 2176 wrote to memory of 840	2176	Unicorn-16265.exe	39
PID 2176 wrote to memory of 840	2176	Unicorn-16265.exe	39
PID 2176 wrote to memory of 840	2176	Unicorn-16265.exe	39
PID 2176 wrote to memory of 840	2176	Unicorn-16265.exe	39
PID 2824 wrote to memory of 2848	2824	Unicorn-32047.exe	40
PID 2824 wrote to memory of 2848	2824	Unicorn-32047.exe	40
PID 2824 wrote to memory of 2848	2824	Unicorn-32047.exe	40
PID 2824 wrote to memory of 2848	2824	Unicorn-32047.exe	40
PID 2156 wrote to memory of 2964	2156	Unicorn-49286.exe	41
PID 2156 wrote to memory of 2964	2156	Unicorn-49286.exe	41
PID 2156 wrote to memory of 2964	2156	Unicorn-49286.exe	41
PID 2156 wrote to memory of 2964	2156	Unicorn-49286.exe	41
PID 1720 wrote to memory of 2956	1720	Unicorn-14236.exe	42
PID 1720 wrote to memory of 2956	1720	Unicorn-14236.exe	42
PID 1720 wrote to memory of 2956	1720	Unicorn-14236.exe	42
PID 1720 wrote to memory of 2956	1720	Unicorn-14236.exe	42
PID 1716 wrote to memory of 2124	1716	Unicorn-11543.exe	43
PID 1716 wrote to memory of 2124	1716	Unicorn-11543.exe	43
PID 1716 wrote to memory of 2124	1716	Unicorn-11543.exe	43
PID 1716 wrote to memory of 2124	1716	Unicorn-11543.exe	43
PID 3020 wrote to memory of 2832	3020	Unicorn-1320.exe	44
PID 3020 wrote to memory of 2832	3020	Unicorn-1320.exe	44
PID 3020 wrote to memory of 2832	3020	Unicorn-1320.exe	44
PID 3020 wrote to memory of 2832	3020	Unicorn-1320.exe	44
PID 2628 wrote to memory of 780	2628	Unicorn-11709.exe	45
PID 2628 wrote to memory of 780	2628	Unicorn-11709.exe	45
PID 2628 wrote to memory of 780	2628	Unicorn-11709.exe	45
PID 2628 wrote to memory of 780	2628	Unicorn-11709.exe	45

C:\Users\Admin\AppData\Local\Temp\5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe
"C:\Users\Admin\AppData\Local\Temp\5a186c2ac5e3138613391785e531a11fa0f31321c9540e75f399769bd7f6832a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\Unicorn-49286.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-49286.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11543.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11543.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32047.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32047.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9571.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9571.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13245.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13245.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28259.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43308.exe
        8⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40890.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40890.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37925.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37925.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49549.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49549.exe
        10⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 248
        9⤵
        Program crash
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43582.exe
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 244
        9⤵
        Program crash
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13135.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13135.exe
        8⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58754.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58754.exe
        8⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3789.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3789.exe
        8⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30092.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30092.exe
        8⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 244
        8⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17220.exe
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 244
        8⤵
        Program crash
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11661.exe
        7⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38591.exe
        8⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1110.exe
        8⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54695.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54695.exe
        8⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61323.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61323.exe
        8⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10058.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10058.exe
        8⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33180.exe
        8⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37989.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37989.exe
        8⤵
        
        PID:8312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21989.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21989.exe
        7⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12045.exe
        7⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35359.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35359.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53188.exe
        7⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54594.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54594.exe
        7⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23380.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23380.exe
        7⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15323.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15323.exe
        7⤵
        
        PID:8344
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45150.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45150.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 240
        7⤵
        Program crash
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22979.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22979.exe
        6⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53910.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53910.exe
        7⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61547.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 216
        7⤵
        Program crash
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21657.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21657.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 224
        6⤵
        Program crash
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56779.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56779.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65015.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60220.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42919.exe
        8⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 228
        8⤵
        Program crash
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26945.exe
        7⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51270.exe
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 248
        7⤵
        
        PID:5536
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57568.exe
        6⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18991.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18991.exe
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 248
        7⤵
        Program crash
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27634.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27634.exe
        6⤵
        
        PID:3780
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36305.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36305.exe
        6⤵
        
        PID:5148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 244
        6⤵
        
        PID:6852
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50717.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50717.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28918.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28918.exe
        6⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 200
        7⤵
        Program crash
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19737.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19737.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30439.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30439.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12454.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12454.exe
        6⤵
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46628.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46628.exe
        6⤵
        
        PID:7612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 236
        6⤵
        
        PID:7784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4724.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4724.exe
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 244
        6⤵
        Program crash
        
        PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35119.exe
        5⤵
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26858.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26858.exe
        6⤵
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4343.exe
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6589.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6589.exe
        6⤵
        
        PID:6736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55293.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55293.exe
        6⤵
        
        PID:7592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 240
        6⤵
        
        PID:7764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6052.exe
        5⤵
        
        PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56841.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56841.exe
        5⤵
        
        PID:5620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48325.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48325.exe
        5⤵
        
        PID:6788
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20292.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20292.exe
        5⤵
        
        PID:7656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 248
        5⤵
        
        PID:7756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-16265.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-16265.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44382.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44382.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:840
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3131.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3131.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15430.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15430.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 244
        7⤵
        Program crash
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21496.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21496.exe
        6⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54081.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54081.exe
        7⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58928.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58928.exe
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 228
        8⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30318.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30318.exe
        7⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 244
        7⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-696.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-696.exe
        6⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5067.exe
        7⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 248
        7⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11024.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11024.exe
        6⤵
        
        PID:3580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 244
        6⤵
        
        PID:5144
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48658.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 244
        6⤵
        Program crash
        
        PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10343.exe
        5⤵
        
        PID:2600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13899.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13899.exe
        6⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21599.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21599.exe
        7⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58303.exe
        7⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7155.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7155.exe
        7⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43223.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43223.exe
        7⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56727.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56727.exe
        7⤵
        
        PID:7672
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
        6⤵
        
        PID:4420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 244
        6⤵
        
        PID:5856
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40625.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40625.exe
        5⤵
        
        PID:3688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46389.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46389.exe
        6⤵
        
        PID:8616
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4170.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4170.exe
        5⤵
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43195.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43195.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30874.exe
        5⤵
        
        PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46753.exe
        5⤵
        
        PID:7544
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7646.exe
        5⤵
        
        PID:8008
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65510.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65510.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8876
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22502.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22502.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8476
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44527.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44527.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 240
        5⤵
        Program crash
        
        PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58885.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58885.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9073.exe
        5⤵
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40542.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40542.exe
        6⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4299.exe
        7⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33123.exe
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 240
        7⤵
        
        PID:6708
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54631.exe
        6⤵
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59111.exe
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 248
        6⤵
        
        PID:6812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 228
        5⤵
        Program crash
        
        PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12700.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12700.exe
      4⤵
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32613.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32613.exe
        5⤵
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37534.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37534.exe
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 244
        5⤵
        
        PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21544.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21544.exe
      4⤵
      PID:3332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 224
        5⤵
        
        PID:8572
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31934.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31934.exe
      4⤵
      PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60261.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60261.exe
      4⤵
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9343.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9343.exe
      4⤵
      PID:7200
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41418.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41418.exe
      4⤵
      PID:7652
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11846.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11846.exe
      4⤵
      PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33498.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33498.exe
      4⤵
      PID:8964
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26750.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26750.exe
      4⤵
      PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-53218.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-53218.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11299.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11299.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35851.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35851.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 224
        6⤵
        Program crash
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57869.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57869.exe
        5⤵
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16962.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16962.exe
        6⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25066.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25066.exe
        7⤵
        
        PID:9156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 248
        6⤵
        Program crash
        
        PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57894.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57894.exe
        5⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30328.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 248
        5⤵
        Program crash
        
        PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30375.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30375.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29110.exe
        5⤵
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10739.exe
        6⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21672.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21672.exe
        7⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30773.exe
        7⤵
        
        PID:9140
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
        6⤵
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62531.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62531.exe
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39009.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39009.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28859.exe
        6⤵
        
        PID:7788
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5194.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5194.exe
        6⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18362.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18362.exe
        6⤵
        
        PID:9060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8285.exe
        6⤵
        
        PID:6496
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23546.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23546.exe
        5⤵
        
        PID:3092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56607.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56607.exe
        6⤵
        
        PID:8372
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6970.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6970.exe
        5⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 248
        5⤵
        
        PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45346.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45346.exe
      4⤵
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7594.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7594.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 224
        6⤵
        Program crash
        
        PID:4208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 248
        5⤵
        Program crash
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50007.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50007.exe
      4⤵
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26531.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26531.exe
        5⤵
        
        PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46850.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46850.exe
        5⤵
        
        PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41312.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41312.exe
        5⤵
        
        PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51915.exe
        5⤵
        
        PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21729.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21729.exe
        5⤵
        
        PID:7912
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1297.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1297.exe
        5⤵
        
        PID:9036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 224
        5⤵
        
        PID:8704
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12748.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12748.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61047.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61047.exe
      4⤵
      PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52425.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-52425.exe
      4⤵
      PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31657.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31657.exe
      4⤵
      PID:7800
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49259.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49259.exe
      4⤵
      PID:7908
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27580.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27580.exe
      4⤵
      PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53124.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53124.exe
      4⤵
      PID:8304
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-60043.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-60043.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 224
      4⤵
      Program crash
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59593.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59593.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28150.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28150.exe
      4⤵
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50272.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50272.exe
        5⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59019.exe
        6⤵
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58391.exe
        6⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49428.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49428.exe
        6⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18723.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7920
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49716.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49716.exe
        6⤵
        
        PID:8220
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20923.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20923.exe
        6⤵
        
        PID:8392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 216
        5⤵
        Program crash
        
        PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28268.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28268.exe
      4⤵
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14989.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14989.exe
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 216
        5⤵
        
        PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3021.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3021.exe
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 228
      4⤵
      PID:5284
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-52269.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-52269.exe
    3⤵
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48902.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48902.exe
      4⤵
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6544.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6544.exe
        5⤵
        
        PID:8144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 216
        5⤵
        
        PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58772.exe
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 244
      4⤵
      PID:5924
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-5499.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-5499.exe
    3⤵
    PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24969.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24969.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 228
      4⤵
      PID:6080
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-48706.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-48706.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-33395.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-33395.exe
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8208.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8208.exe
    3⤵
    PID:7232
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-17883.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-17883.exe
    3⤵
    PID:7572
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
    3⤵
    PID:7680
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-30698.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-30698.exe
    3⤵
    PID:8988
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-1550.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-1550.exe
    3⤵
    PID:1912
- C:\Users\Admin\AppData\Local\Temp\Unicorn-14236.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-14236.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-1320.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-1320.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59348.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59348.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46110.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13484.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13484.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48186.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48186.exe
        7⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36567.exe
        8⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54076.exe
        9⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 228
        9⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54823.exe
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 244
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22731.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22731.exe
        7⤵
        
        PID:500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 224
        8⤵
        Program crash
        
        PID:4172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 244
        7⤵
        Program crash
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26950.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5373.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5373.exe
        7⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17709.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 224
        9⤵
        Program crash
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-168.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-168.exe
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 224
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36545.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36545.exe
        7⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 224
        8⤵
        Program crash
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44438.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 228
        7⤵
        
        PID:5196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 244
        6⤵
        Program crash
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11901.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11901.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65098.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65098.exe
        6⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31798.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31798.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20034.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20034.exe
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 228
        8⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20396.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20396.exe
        7⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 244
        7⤵
        
        PID:6024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 228
        6⤵
        Program crash
        
        PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12289.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12289.exe
        5⤵
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40075.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40075.exe
        6⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5643.exe
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 228
        7⤵
        
        PID:6092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14558.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14558.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 244
        6⤵
        
        PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47978.exe
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 220
        6⤵
        Program crash
        
        PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37745.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37745.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 248
        5⤵
        
        PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22160.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22160.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29629.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5783.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5783.exe
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 244
        7⤵
        Program crash
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24869.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24869.exe
        6⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18363.exe
        7⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57301.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57301.exe
        7⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36989.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36989.exe
        7⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6092.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6092.exe
        7⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42731.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42731.exe
        7⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 228
        7⤵
        
        PID:8204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 224
        6⤵
        Program crash
        
        PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45233.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45233.exe
        5⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8061.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8061.exe
        6⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60592.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60592.exe
        7⤵
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57250.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57250.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 216
        6⤵
        Program crash
        
        PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48802.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48802.exe
        5⤵
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63721.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63721.exe
        6⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38780.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38780.exe
        6⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40259.exe
        6⤵
        
        PID:8328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 228
        5⤵
        Program crash
        
        PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37889.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37889.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7921.exe
        5⤵
        
        PID:2744
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9239.exe
        6⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23737.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23737.exe
        7⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27576.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27576.exe
        7⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46050.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46050.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30395.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17832.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17832.exe
        7⤵
        
        PID:8996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12750.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12750.exe
        7⤵
        
        PID:4716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 228
        6⤵
        Program crash
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19908.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19908.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2138.exe
        6⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52029.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52029.exe
        6⤵
        
        PID:7936
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45531.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45531.exe
        6⤵
        
        PID:7628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 248
        6⤵
        
        PID:8212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 244
        5⤵
        Program crash
        
        PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40329.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40329.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12062.exe
        5⤵
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40371.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40371.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63850.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63850.exe
        6⤵
        
        PID:5356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 244
        6⤵
        
        PID:6756
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21382.exe
        5⤵
        
        PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12048.exe
        5⤵
        
        PID:5380
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12454.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12454.exe
        5⤵
        
        PID:6780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 224
        5⤵
        
        PID:7620
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31528.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31528.exe
      4⤵
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38425.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38425.exe
        5⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 248
        5⤵
        
        PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45631.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45631.exe
      4⤵
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9778.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9778.exe
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 248
      4⤵
      PID:6796
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39482.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39482.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21414.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21414.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21461.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21461.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64195.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64195.exe
        6⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41632.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10565.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10565.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 244
        7⤵
        
        PID:6764
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40624.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40624.exe
        6⤵
        
        PID:3632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 244
        6⤵
        
        PID:5352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12233.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12233.exe
        5⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42317.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42317.exe
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 248
        6⤵
        Program crash
        
        PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62336.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62336.exe
        5⤵
        
        PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11691.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11691.exe
        5⤵
        
        PID:5580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 240
        5⤵
        
        PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43203.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43203.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5373.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5373.exe
        5⤵
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34045.exe
        6⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 240
        7⤵
        Program crash
        
        PID:3640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 248
        6⤵
        Program crash
        
        PID:3916
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6011.exe
        5⤵
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3697.exe
        6⤵
        
        PID:3536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 228
        6⤵
        
        PID:6128
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13903.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13903.exe
        5⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 248
        5⤵
        
        PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59435.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59435.exe
      4⤵
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11782.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11782.exe
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 228
        5⤵
        
        PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21631.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21631.exe
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9248.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9248.exe
      4⤵
      PID:5400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 248
      4⤵
      PID:6836
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-7115.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-7115.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 244
      4⤵
      Program crash
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43754.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43754.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39800.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39800.exe
      4⤵
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58248.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58248.exe
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 224
        6⤵
        Program crash
        
        PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1813.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1813.exe
        5⤵
        
        PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14845.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14845.exe
        5⤵
        
        PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60560.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60560.exe
        5⤵
        
        PID:6628
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52658.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52658.exe
        5⤵
        
        PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59060.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59060.exe
        5⤵
        
        PID:7944
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50246.exe
        5⤵
        
        PID:7868
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16458.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16458.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8396
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63463.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63463.exe
      4⤵
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35190.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35190.exe
        5⤵
        
        PID:7208
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24338.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24338.exe
        5⤵
        
        PID:8004
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59340.exe
        5⤵
        
        PID:7824
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26498.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26498.exe
        5⤵
        
        PID:9004
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29285.exe
        5⤵
        
        PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55019.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55019.exe
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 248
      4⤵
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-36707.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-36707.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32613.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32613.exe
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 248
      4⤵
      Program crash
      PID:5000
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11231.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11231.exe
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9544.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9544.exe
      4⤵
      PID:5932
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-49000.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-49000.exe
    3⤵
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38730.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38730.exe
    3⤵
    PID:5988
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-4008.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-4008.exe
    3⤵
    PID:7216
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-6724.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-6724.exe
    3⤵
    PID:7796
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-6668.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-6668.exe
    3⤵
    PID:7872
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-15297.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-15297.exe
    3⤵
    PID:9048
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-42151.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-42151.exe
    3⤵
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\Unicorn-64811.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-64811.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11709.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11709.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8777.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8777.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:780
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6722.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27382.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48435.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48435.exe
        7⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46484.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46484.exe
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 248
        8⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10474.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10474.exe
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 244
        7⤵
        
        PID:5292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 248
        6⤵
        Program crash
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30650.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 244
        6⤵
        Program crash
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36083.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36083.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17045.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17045.exe
        6⤵
        
        PID:3496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 248
        6⤵
        Program crash
        
        PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37776.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37776.exe
        5⤵
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54282.exe
        5⤵
        
        PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52791.exe
        5⤵
        
        PID:6828
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47158.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47158.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 236
        5⤵
        
        PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1247.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1247.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30096.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43308.exe
        6⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 224
        7⤵
        Program crash
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37936.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37936.exe
        6⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21672.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21672.exe
        7⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 216
        7⤵
        
        PID:9128
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37697.exe
        6⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2859.exe
        6⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30343.exe
        6⤵
        
        PID:7244
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12324.exe
        6⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22259.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22259.exe
        6⤵
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62369.exe
        6⤵
        
        PID:8980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2950.exe
        6⤵
        
        PID:960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 248
        5⤵
        Program crash
        
        PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64806.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64806.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9924.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9924.exe
        5⤵
        
        PID:2612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 244
        6⤵
        Program crash
        
        PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49177.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49177.exe
        5⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 224
        5⤵
        
        PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44470.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44470.exe
      4⤵
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55695.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55695.exe
        5⤵
        
        PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48796.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48796.exe
        5⤵
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33143.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33143.exe
        5⤵
        
        PID:7252
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37525.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37525.exe
        5⤵
        
        PID:7844
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1117.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56528.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56528.exe
        5⤵
        
        PID:9188
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29816.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29816.exe
        5⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 240
      4⤵
      Program crash
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-42004.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-42004.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21113.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21113.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60822.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60822.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41035.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41035.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20452.exe
        7⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 248
        7⤵
        
        PID:5592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 248
        6⤵
        Program crash
        
        PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5710.exe
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 244
        6⤵
        Program crash
        
        PID:4180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 244
        5⤵
        Program crash
        
        PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45041.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45041.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11896.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11896.exe
        5⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38041.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38041.exe
        6⤵
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16704.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16704.exe
        6⤵
        
        PID:5172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 224
        6⤵
        
        PID:6748
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30235.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46859.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46859.exe
        5⤵
        
        PID:5296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 216
        5⤵
        
        PID:6728
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49321.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49321.exe
      4⤵
      PID:3044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 220
        5⤵
        Program crash
        
        PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49836.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49836.exe
      4⤵
      PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5164.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5164.exe
      4⤵
      PID:5276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 248
      4⤵
      PID:6844
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-60639.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-60639.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25820.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25820.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38788.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38788.exe
        5⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32222.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32222.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48423.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48423.exe
        6⤵
        
        PID:8844
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9636.exe
        6⤵
        
        PID:8516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12311.exe
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 244
        5⤵
        
        PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18730.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18730.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3388
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32663.exe
        5⤵
        
        PID:8672
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23866.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 240
      4⤵
      Program crash
      PID:4188
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47921.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47921.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35882.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35882.exe
      4⤵
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33329.exe
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 228
        5⤵
        
        PID:5448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 248
      4⤵
      Program crash
      PID:4100
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8861.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8861.exe
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62244.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62244.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45376.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45376.exe
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 244
      4⤵
      PID:6772
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24718.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24718.exe
    3⤵
    PID:3472
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12575.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12575.exe
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61621.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61621.exe
    3⤵
    PID:6880
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-26322.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-26322.exe
    3⤵
    PID:7736
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-53459.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-53459.exe
    3⤵
    PID:7732
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-65381.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-65381.exe
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-34924.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-34924.exe
    3⤵
    PID:8288
- C:\Users\Admin\AppData\Local\Temp\Unicorn-17474.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-17474.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-14807.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-14807.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31959.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31959.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4029.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4029.exe
        5⤵
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42872.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42872.exe
        6⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14712.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14712.exe
        7⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 216
        7⤵
        
        PID:4604
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8227.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 224
        6⤵
        
        PID:6064
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2202.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2202.exe
        5⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21679.exe
        6⤵
        
        PID:4144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 248
        6⤵
        
        PID:6056
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26046.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26046.exe
        5⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 248
        5⤵
        
        PID:5220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 236
      4⤵
      Program crash
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-3925.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-3925.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5399.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5399.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50957.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50957.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42483.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42483.exe
        6⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1110.exe
        6⤵
        
        PID:6044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 224
        6⤵
        
        PID:6652
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59291.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59291.exe
        5⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 244
        5⤵
        
        PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20593.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20593.exe
      4⤵
      PID:3016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 224
        5⤵
        Program crash
        
        PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15548.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-15548.exe
      4⤵
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20710.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20710.exe
      4⤵
      PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51895.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51895.exe
      4⤵
      PID:6620
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36122.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36122.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7744
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10588.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10588.exe
      4⤵
      PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28715.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28715.exe
      4⤵
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11123.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11123.exe
      4⤵
      PID:4652
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-17551.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-17551.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17709.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17709.exe
      4⤵
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19074.exe
        5⤵
        
        PID:4084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 248
        5⤵
        
        PID:5644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 228
      4⤵
      Program crash
      PID:3204
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-56146.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-56146.exe
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 224
      4⤵
      Program crash
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-41638.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-41638.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 248
    3⤵
    PID:5428
- C:\Users\Admin\AppData\Local\Temp\Unicorn-27065.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-27065.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-3178.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-3178.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53230.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53230.exe
      4⤵
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38596.exe
        5⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63197.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63197.exe
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14738.exe
        6⤵
        
        PID:8924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 228
        5⤵
        Program crash
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21024.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21024.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12538.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12538.exe
        5⤵
        
        PID:8708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 240
      4⤵
      Program crash
      PID:4136
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-49701.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-49701.exe
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24554.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24554.exe
      4⤵
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5055.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5055.exe
        5⤵
        
        PID:8760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 248
      4⤵
      Program crash
      PID:4500
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43504.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43504.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18543.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18543.exe
      4⤵
      PID:9196
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12835.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12835.exe
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59731.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59731.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5772
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-13808.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-13808.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7176
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2747.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2747.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7584
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-12981.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-12981.exe
    3⤵
    PID:8052
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-57033.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-57033.exe
    3⤵
    PID:8972
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-7150.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-7150.exe
    3⤵
    PID:8648
- C:\Users\Admin\AppData\Local\Temp\Unicorn-43249.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-43249.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-56738.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-56738.exe
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16038.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16038.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44614.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44614.exe
        5⤵
        
        PID:8764
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58568.exe
        5⤵
        
        PID:8268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 228
      4⤵
      Program crash
      PID:4512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 248
    3⤵
    - Program crash
    PID:3732
- C:\Users\Admin\AppData\Local\Temp\Unicorn-55136.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-55136.exe
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-22068.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-22068.exe
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42543.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-42543.exe
      4⤵
      PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2828.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2828.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7852
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31140.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31140.exe
      4⤵
      PID:7968
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58381.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58381.exe
      4⤵
      PID:8024
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37458.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37458.exe
      4⤵
      PID:8336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 228
    3⤵
    - Program crash
    PID:4476
- C:\Users\Admin\AppData\Local\Temp\Unicorn-10959.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-10959.exe
  2⤵
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-19280.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-19280.exe
    3⤵
    PID:8816
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43155.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43155.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8432
- C:\Users\Admin\AppData\Local\Temp\Unicorn-43371.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-43371.exe
  2⤵
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\Unicorn-37595.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-37595.exe
  2⤵
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\Unicorn-46009.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-46009.exe
  2⤵
  PID:7192
- C:\Users\Admin\AppData\Local\Temp\Unicorn-65219.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-65219.exe
  2⤵
  PID:7556
- C:\Users\Admin\AppData\Local\Temp\Unicorn-46847.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-46847.exe
  2⤵
  PID:8016
- C:\Users\Admin\AppData\Local\Temp\Unicorn-59909.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-59909.exe
  2⤵
  PID:8888
- C:\Users\Admin\AppData\Local\Temp\Unicorn-37637.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-37637.exe
  2⤵
  PID:8488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-1320.exe

Filesize
468KB

MD5
f0b3578b195ffc7addf57797fc8480cc

SHA1
d86da954bc0bd01be9a81108db616d905e36a49e

SHA256
cbdf625ce0369a69e2fac8b833d43aa41f8b94d453156e238244940f59c55e90

SHA512
0b38a68154dc181b1c2465f1bbdfc3fb4b470eb343a0978c0d0e3c7f4bf4e7b2d115393fb56ca7a2087bd947793922295a3e5742113e507d8373e380763e8660

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-16265.exe

Filesize
468KB

MD5
d45b5c3b86180633a90e9cf2beffd061

SHA1
22033d06bfe670e8a8e68b7ce6a7f7fb2501e237

SHA256
d30696561299e74253671beb0b8062cc276d71f698e010cb251f8986af29c0ba

SHA512
3636f8d485d47cdcc50e06c4f9cdc0258493833e23a2c6cd2ce6f1aca46e81152cca3bd9bd50616985e11be5757660fdea874d3e0b1b568d2e60f1be0068e009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-21496.exe

Filesize
468KB

MD5
64a71b37fb0ff1430d1d19337730e7b8

SHA1
d403182b03cdc3ac1e2ebcd288d198a26e9fd42b

SHA256
9996bd5461c2316ea8882880ee6bd6e2de45277e8cd3bbe4407177c194df32bc

SHA512
61542d8aca43f945c3e98d6eb8900a27704a3e292ea7a373c370816f5495d55c2a0bb70277bc802d3f28ae815ae03b2d566abe21988d8a7ec32a59b539cfe552

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-32047.exe

Filesize
468KB

MD5
9dea0d1a31a4b66f504c6dcb1a5899d7

SHA1
adc84db36f8f6e26b764d333053d4eafcfe26d09

SHA256
c3e824f1c1cbb50893a955e97fc98687f5cf997e78914695446f4c37d8ee56ff

SHA512
df12e9e889d26eb587cd962f617e74a5c8ac92e76bcabfec601f668784f5c4b3339d4b7172669286c9ec4c6160bbe5de47a39ee9cf436351d103044548238fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-37458.exe

Filesize
468KB

MD5
b4d5c71d33b34cce3996c9cbf648da00

SHA1
1f681904a0982c26a6f690f2dc15215d86bf60c8

SHA256
ec851b8e1449fe3c8a077a090774dfbde6f76b68549738cd4077b1285e8d194f

SHA512
67e01e8c32bb684dade888e645dd9379b85b598a39d04095084739e1b167b6e740db27169fa1a10913b8beccc730747952b95b0cd9ea24802a7f1c2013123842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-42004.exe

Filesize
468KB

MD5
6eb25b4fdcfa30cff520a4f0202b3ceb

SHA1
251396fed02030a0900b70b879616f0320e05057

SHA256
5798921fbd4f3984ca7526b28fcec48dd5b97c50819eba6beef57d828112140a

SHA512
7209f79c7e10c1955d0237bd494ab8c9800d41a1be24248150a4f8179f3c68253e4c9206584d5cbd1e5f7d976b1f9d4a785872dc4b074ec449af357adeee345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-59348.exe

Filesize
468KB

MD5
72f60ccc4675b1b1b6c5010aedb74d85

SHA1
50ca775a86b5d987c0e5e74dd1f9c24ab3ffe4ab

SHA256
f2ff3875dc627c52c304265c2c4d3f3c4728b2701106878d8315df23f68c2adb

SHA512
2bf59e58cf75c6f8c162f29dc7b36e63ab4425908ba5548c753c9f8ae4e502852f24141dd1c6bfea1191a67aceac661af76d25da9eb161ac3a5fba366daa7a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-64811.exe

Filesize
468KB

MD5
5f985c2bb1ec5b7fec4785798fdfc5a6

SHA1
943ac7912a452a84e1549e8594a3da8a2986439a

SHA256
f5410ff62325e25d2977dbf15a2984d2da0ebba762c483c6a89c79913af6f853

SHA512
385bf61b4c1f3a0b7a5e8924591bf4db5da77ce8aa9b28aed5941d17f294eb0496c56bdbedea2eeab300373b7f60fe080b9396ddec215fa243a8836e67821c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-7150.exe

Filesize
468KB

MD5
c3aa89b11647358a5149fd969fd5345f

SHA1
78d60a162f5427ff1e252f3d4153da22b8328ccd

SHA256
fcf1119efa46787d9f3d7638cccd5116c5103f6b5c8498250692a5c473dfd22e

SHA512
6ef58fbe2cae6a5bd76be0290654de538ba4c64558d5c2ef0d625751df63608da378b5a3823121b4c30bac671d1dcc8c40680bcbd355651977c1827803224b00

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11543.exe

Filesize
468KB

MD5
77d7c83d96c14bfd59f568b160402199

SHA1
432dd6ae7b64b7b64d0d7d743db5f2dea385c293

SHA256
f155d0594735cf7f2e595fe23bf96421bbed2cb05ff70d98cd6d6ce0640031b6

SHA512
0d85a9bb3511bba174bd5e5a0b443c189ae31c35d6a25f1c3598a9906e474074bf6dd8f6233c173ea33192e0c119c34b2454424782e45d5b2dd81ba811d5d283

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11709.exe

Filesize
468KB

MD5
dd8d835413e3dd38498cfff62b94fda3

SHA1
1dacb14ed57b94129528dcf73d058a6a485561f0

SHA256
47fd9eae66eab4318ec8dae942ce384ec7f7189b0f6d6876e8d10ba9aaaffe2c

SHA512
485679d010198513ed01a419a6be588057e68fe0b2d10f71f5221a217dc8b63569fdeec4c385d0c500724b5ede4a13803323faf840bd91b67eeedfa4ff2f41c6

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-14236.exe

Filesize
468KB

MD5
c11d4a65e91bf6db25b9c3dc1bf60b4a

SHA1
1dac0a20ff8a30d1ea43599077d72c4855cb6e4e

SHA256
225c9925ffb6550ac872cdb965366e6376d43a0af421067c38a4e06336670a91

SHA512
6709c62aa7572a3bc8c9afa7c2645b0e50b4e31f4e7c100225e782ee7708a88fab1a6bfa2c69564e502fd02a10d85878310f3ad26e4cc68c0b33801fa6ba3e0a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-14807.exe

Filesize
468KB

MD5
3fbde6139c4a126b4a95e0ecff377a02

SHA1
951c1304bd1ef41c5dd6a8f674dc3d969de82c77

SHA256
115f6b47c53d114a1dfe6dffa2aceaca50852c097c2a26439786c6d7b32dc1bb

SHA512
66e8547b9bbd8edcb5aba27045141032fc56fa1f8ffb692873235771c19d0dec0e83aeba4f5c66d615495b3f374a1b6c1d4ca7c241c92e5fbc8acd3a6170bffa

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-17474.exe

Filesize
468KB

MD5
f8cfc56fa669936eb9b25b4b7a391d8f

SHA1
ea7f0d04e06817afbe925a7bdeaaeb653ffb6647

SHA256
1ab1e4daf526925f327430c1b22b22b04b99e5dc82cc51acc299d0dfbb0d8c83

SHA512
fef1c10da50ee11eccc650d62c4994387cda845cf4b60d3ac830b8fe03c4a54f74ad0c8a77365777b080e79341de2a561a2b23e7212d73d80bef206f87bcfc7a

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-39482.exe

Filesize
468KB

MD5
e520efb8da1e155509310979283704c8

SHA1
4a95c07dce23334cbf781303d09b54c4bd7bc386

SHA256
f72c1b4ef3ad98bd787e8ebe1e49528859cdf21b789189c5cd171ad44df52b0b

SHA512
c9c9132c05aa626d523906343d2438b82cc82c11d9c693893b1ebb1e4979bde72fcf3b3207b33d989b544b5e0bd94a1f9f5cac488d6e13cfc8482a554f47117f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-44382.exe

Filesize
468KB

MD5
cc8151bc23b8f686f3e276af9eaa02e6

SHA1
c270ae666005ef8992eac3266ed575daf0cc3a0c

SHA256
aed2c6fc7119fa62997a6c698e20697ba863719c040ed450b05c1ab11d65852c

SHA512
2ce55b7c23cd607842bcb2e1df1e6a66ad6139517e76399fe18f05b458c68c63aa4b660a88da380bf41396bfd77a93ed09b1194346ec1be1201ce9ca02cbe2af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-49286.exe

Filesize
468KB

MD5
311284cd199e7fb1d515ab187ddac383

SHA1
12e5d9ad0bb9f6f43ab795fe7ebcbdbe51a03cec

SHA256
101b29c79eb4ba4a692c94e151f4ceb7f408503a67b81441cfc4727bce355dce

SHA512
ffe4fd5e1c8eda847484b7c10be03bac4227ff9f7c101a2bd1de9319dcd81f32a9608fb392fb031881e08d473a24cf9d0131667c7b96eb2608cf1cf6edbb6df4

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-53218.exe

Filesize
468KB

MD5
c8da56b6e87ff2e7b1a37fc819a25115

SHA1
d88eb2a134d653b9b4901b5a5d91ad355c246581

SHA256
0e91ed3e7d48c4940ff93492e64a8cf356f6a392be6e6e58803ee3f1fcdfd9f2

SHA512
1904b0fe119cda4e8ed58c2654364819d08ddcc81c60f7cd58cd215ff0af6003a4b6f71c483dd0cda7ce697b1cf25c58d57aa02f4f15974ad93fb5c06799cb1e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-8777.exe

Filesize
468KB

MD5
d87c5b9ad481ac6e3c265e025bf74f5c

SHA1
0b2c275674f948047bbed4214bebbdb2ec342dfc

SHA256
1e96f202ec29ddf9b02f5de15d31315b9f9ce1668ca10c3d043e8249b9bbf807

SHA512
aa306a3178f7b8d6e3aa43dac12f4f2c28b41e6e1d44b1df3b10e5d8502974cd1234aa8cff2f91a39624c9ec76ebe870dab6bacc5baba4d38687779f6e28eee3

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-9571.exe

Filesize
468KB

MD5
d753adb2d02bd7db6cebc9f29f610448

SHA1
dc3de771f98ca4d19396688f880d79fd0ffd64ba

SHA256
07e9735d9e70030367e9a8493331fca658ea1ec453671406fbb5b6a20c856a4c

SHA512
66d269975ea7a24734f7a30362e5d4109f13385d2f5d91556f67a5b6a8e3a9bb1e82dbc26ebc20a49476c3ffb54a3506789d6e50141c0a442de130af80d92028

Download Submit