5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3d

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
Size

468KB
MD5

e350bd4c56f9617a80e1f992f0ae3520
SHA1

b1065d8932c5452d3452d28762279e525bc84a93
SHA256

5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3d
SHA512

2cfe4cfe7ee55dc07cce3fcfbddd1b405905ed7c2ecd2f8ddd8de39a77fbc266d2525ca3ab60cb8e13bfa909aa10583a0969cc8d9a97f3d01bc69d99992cabe7
SSDEEP

3072:1G3HogIpIEXTtbYZHzxIvf8/ZCSVPLpkJVHMMVPSFP5LuHOg0PlG:1G3owuTt+HVIvf61rhFPVoOg0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2840	Unicorn-16405.exe
1900	Unicorn-53654.exe
2180	Unicorn-3898.exe
2676	Unicorn-44028.exe
2596	Unicorn-5417.exe
2396	Unicorn-23800.exe
1540	Unicorn-8018.exe
1044	Unicorn-26789.exe
2024	Unicorn-27727.exe
1964	Unicorn-63929.exe
2800	Unicorn-22632.exe
2664	Unicorn-40349.exe
2768	Unicorn-56685.exe
1308	Unicorn-36819.exe
1648	Unicorn-58723.exe
2136	Unicorn-11926.exe
2432	Unicorn-4505.exe
1860	Unicorn-56659.exe
828	Unicorn-65382.exe
1312	Unicorn-19711.exe
2536	Unicorn-31698.exe
2496	Unicorn-38085.exe
1912	Unicorn-52767.exe
2000	Unicorn-37.exe
604	Unicorn-19903.exe
2200	Unicorn-23224.exe
2152	Unicorn-36239.exe
2256	Unicorn-57811.exe
1148	Unicorn-37945.exe
1180	Unicorn-14732.exe
2344	Unicorn-64308.exe
1488	Unicorn-16046.exe
2668	Unicorn-14915.exe
2864	Unicorn-41458.exe
2844	Unicorn-60032.exe
2680	Unicorn-8454.exe
2584	Unicorn-44272.exe
3052	Unicorn-779.exe
2196	Unicorn-20645.exe
2956	Unicorn-41184.exe
2940	Unicorn-32212.exe
2660	Unicorn-53701.exe
2188	Unicorn-65191.exe
2624	Unicorn-47108.exe
2784	Unicorn-5520.exe
2796	Unicorn-36147.exe
2364	Unicorn-42277.exe
2776	Unicorn-18519.exe
532	Unicorn-42204.exe
776	Unicorn-46169.exe
2124	Unicorn-54337.exe
624	Unicorn-15342.exe
2436	Unicorn-46361.exe
2480	Unicorn-22027.exe
2524	Unicorn-49483.exe
1728	Unicorn-11119.exe
1452	Unicorn-22817.exe
1512	Unicorn-22817.exe
1612	Unicorn-2951.exe
660	Unicorn-16686.exe
2316	Unicorn-55105.exe
1640	Unicorn-3858.exe
2320	Unicorn-30409.exe
2324	Unicorn-51768.exe

Loads dropped DLL 64 IoCs

pid	Process
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2840	Unicorn-16405.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2840	Unicorn-16405.exe
1900	Unicorn-53654.exe
1900	Unicorn-53654.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2180	Unicorn-3898.exe
2180	Unicorn-3898.exe
2840	Unicorn-16405.exe
2840	Unicorn-16405.exe
2676	Unicorn-44028.exe
2676	Unicorn-44028.exe
1900	Unicorn-53654.exe
1900	Unicorn-53654.exe
2596	Unicorn-5417.exe
2596	Unicorn-5417.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2396	Unicorn-23800.exe
2396	Unicorn-23800.exe
1540	Unicorn-8018.exe
1540	Unicorn-8018.exe
2180	Unicorn-3898.exe
2840	Unicorn-16405.exe
2180	Unicorn-3898.exe
2840	Unicorn-16405.exe
1044	Unicorn-26789.exe
1044	Unicorn-26789.exe
2676	Unicorn-44028.exe
2676	Unicorn-44028.exe
1964	Unicorn-63929.exe
1964	Unicorn-63929.exe
2596	Unicorn-5417.exe
2024	Unicorn-27727.exe
2596	Unicorn-5417.exe
2024	Unicorn-27727.exe
2840	Unicorn-16405.exe
2840	Unicorn-16405.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
1900	Unicorn-53654.exe
1900	Unicorn-53654.exe
2664	Unicorn-40349.exe
2664	Unicorn-40349.exe
2532	WerFault.exe
2396	Unicorn-23800.exe
2396	Unicorn-23800.exe
2800	Unicorn-22632.exe
2800	Unicorn-22632.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2768	Unicorn-56685.exe
2768	Unicorn-56685.exe
1540	Unicorn-8018.exe
1308	Unicorn-36819.exe
1540	Unicorn-8018.exe
1308	Unicorn-36819.exe
2180	Unicorn-3898.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2532	1648	WerFault.exe	44
2896	2256	WerFault.exe	59
792	1148	WerFault.exe	58
2488	2816	WerFault.exe	99
2860	2552	WerFault.exe	106
2732	2940	WerFault.exe	71
3044	1728	WerFault.exe	91
1696	2584	WerFault.exe	67
2276	2140	WerFault.exe	105
1212	3052	WerFault.exe	68
1732	776	WerFault.exe	82
2164	2436	WerFault.exe	85
2600	1352	WerFault.exe	121
3008	1308	WerFault.exe	43
1004	2592	WerFault.exe	100
3148	1844	WerFault.exe	161
3980	1624	WerFault.exe	117
3188	408	WerFault.exe	112
3172	2216	WerFault.exe	111
3400	2316	WerFault.exe	93
3652	1512	WerFault.exe	90
3824	2344	WerFault.exe	61
3128	1664	WerFault.exe	150
3608	624	WerFault.exe	84
3604	2124	WerFault.exe	83
3892	2640	WerFault.exe	103
3356	864	WerFault.exe	151
3468	2976	WerFault.exe	143
3132	2492	WerFault.exe	156
4080	700	WerFault.exe	159
4752	552	WerFault.exe	109
4848	832	WerFault.exe	167
4832	912	WerFault.exe	163
4908	2924	WerFault.exe	173
5092	860	WerFault.exe	172
4168	2480	WerFault.exe	86
4412	112	WerFault.exe	120
4432	2668	WerFault.exe	63
4480	2564	WerFault.exe	131
4492	2340	WerFault.exe	113
4828	660	WerFault.exe	92
5052	2104	WerFault.exe	140
4952	836	WerFault.exe	137
5084	1452	WerFault.exe	89
4104	2944	WerFault.exe	123
4204	2188	WerFault.exe	73
4200	1488	WerFault.exe	62
4344	2784	WerFault.exe	75
1480	1044	WerFault.exe	37
1444	1912	WerFault.exe	53
2472	1540	WerFault.exe	36
4600	1640	WerFault.exe	94
4616	3056	WerFault.exe	129
5140	2152	WerFault.exe	57
5152	3020	WerFault.exe	165
5128	2200	WerFault.exe	56
5024	604	WerFault.exe	55
4640	2324	WerFault.exe	96
4308	1484	WerFault.exe	122
4468	2684	WerFault.exe	127
4396	2524	WerFault.exe	87
5484	2192	WerFault.exe	154
4444	2572	WerFault.exe	157
3024	1312	WerFault.exe	50

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39357.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53481.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-25664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5580.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47351.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59796.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-42277.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26354.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43668.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48077.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-34156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5417.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59220.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-7076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-20135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52966.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-60419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2608.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-16802.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-63555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49423.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-4505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53481.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54337.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-44913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-11163.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12619.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-56984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-53822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58089.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28450.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-779.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48451.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-14791.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27727.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-8473.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
2840	Unicorn-16405.exe
1900	Unicorn-53654.exe
2180	Unicorn-3898.exe
2676	Unicorn-44028.exe
2596	Unicorn-5417.exe
2396	Unicorn-23800.exe
1540	Unicorn-8018.exe
1044	Unicorn-26789.exe
2024	Unicorn-27727.exe
1964	Unicorn-63929.exe
2800	Unicorn-22632.exe
2664	Unicorn-40349.exe
1648	Unicorn-58723.exe
1308	Unicorn-36819.exe
2768	Unicorn-56685.exe
2136	Unicorn-11926.exe
2432	Unicorn-4505.exe
1860	Unicorn-56659.exe
1312	Unicorn-19711.exe
828	Unicorn-65382.exe
2536	Unicorn-31698.exe
2496	Unicorn-38085.exe
1912	Unicorn-52767.exe
604	Unicorn-19903.exe
2000	Unicorn-37.exe
2152	Unicorn-36239.exe
2200	Unicorn-23224.exe
2256	Unicorn-57811.exe
1148	Unicorn-37945.exe
1180	Unicorn-14732.exe
2344	Unicorn-64308.exe
1488	Unicorn-16046.exe
2668	Unicorn-14915.exe
2864	Unicorn-41458.exe
2844	Unicorn-60032.exe
2680	Unicorn-8454.exe
2584	Unicorn-44272.exe
3052	Unicorn-779.exe
2196	Unicorn-20645.exe
2940	Unicorn-32212.exe
2956	Unicorn-41184.exe
2188	Unicorn-65191.exe
2660	Unicorn-53701.exe
2784	Unicorn-5520.exe
2364	Unicorn-42277.exe
2796	Unicorn-36147.exe
2624	Unicorn-47108.exe
2776	Unicorn-18519.exe
532	Unicorn-42204.exe
776	Unicorn-46169.exe
2124	Unicorn-54337.exe
624	Unicorn-15342.exe
2436	Unicorn-46361.exe
2480	Unicorn-22027.exe
2524	Unicorn-49483.exe
1728	Unicorn-11119.exe
1452	Unicorn-22817.exe
1512	Unicorn-22817.exe
1612	Unicorn-2951.exe
2316	Unicorn-55105.exe
660	Unicorn-16686.exe
1640	Unicorn-3858.exe
2320	Unicorn-30409.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2840	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	30
PID 2812 wrote to memory of 2840	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	30
PID 2812 wrote to memory of 2840	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	30
PID 2812 wrote to memory of 2840	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	30
PID 2812 wrote to memory of 1900	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	32
PID 2812 wrote to memory of 1900	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	32
PID 2812 wrote to memory of 1900	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	32
PID 2812 wrote to memory of 1900	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	32
PID 2840 wrote to memory of 2180	2840	Unicorn-16405.exe	31
PID 2840 wrote to memory of 2180	2840	Unicorn-16405.exe	31
PID 2840 wrote to memory of 2180	2840	Unicorn-16405.exe	31
PID 2840 wrote to memory of 2180	2840	Unicorn-16405.exe	31
PID 1900 wrote to memory of 2676	1900	Unicorn-53654.exe	33
PID 1900 wrote to memory of 2676	1900	Unicorn-53654.exe	33
PID 1900 wrote to memory of 2676	1900	Unicorn-53654.exe	33
PID 1900 wrote to memory of 2676	1900	Unicorn-53654.exe	33
PID 2812 wrote to memory of 2596	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	34
PID 2812 wrote to memory of 2596	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	34
PID 2812 wrote to memory of 2596	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	34
PID 2812 wrote to memory of 2596	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	34
PID 2180 wrote to memory of 2396	2180	Unicorn-3898.exe	35
PID 2180 wrote to memory of 2396	2180	Unicorn-3898.exe	35
PID 2180 wrote to memory of 2396	2180	Unicorn-3898.exe	35
PID 2180 wrote to memory of 2396	2180	Unicorn-3898.exe	35
PID 2840 wrote to memory of 1540	2840	Unicorn-16405.exe	36
PID 2840 wrote to memory of 1540	2840	Unicorn-16405.exe	36
PID 2840 wrote to memory of 1540	2840	Unicorn-16405.exe	36
PID 2840 wrote to memory of 1540	2840	Unicorn-16405.exe	36
PID 2676 wrote to memory of 1044	2676	Unicorn-44028.exe	37
PID 2676 wrote to memory of 1044	2676	Unicorn-44028.exe	37
PID 2676 wrote to memory of 1044	2676	Unicorn-44028.exe	37
PID 2676 wrote to memory of 1044	2676	Unicorn-44028.exe	37
PID 1900 wrote to memory of 2024	1900	Unicorn-53654.exe	38
PID 1900 wrote to memory of 2024	1900	Unicorn-53654.exe	38
PID 1900 wrote to memory of 2024	1900	Unicorn-53654.exe	38
PID 1900 wrote to memory of 2024	1900	Unicorn-53654.exe	38
PID 2596 wrote to memory of 1964	2596	Unicorn-5417.exe	39
PID 2596 wrote to memory of 1964	2596	Unicorn-5417.exe	39
PID 2596 wrote to memory of 1964	2596	Unicorn-5417.exe	39
PID 2596 wrote to memory of 1964	2596	Unicorn-5417.exe	39
PID 2812 wrote to memory of 2800	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	40
PID 2812 wrote to memory of 2800	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	40
PID 2812 wrote to memory of 2800	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	40
PID 2812 wrote to memory of 2800	2812	5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe	40
PID 2396 wrote to memory of 2664	2396	Unicorn-23800.exe	41
PID 2396 wrote to memory of 2664	2396	Unicorn-23800.exe	41
PID 2396 wrote to memory of 2664	2396	Unicorn-23800.exe	41
PID 2396 wrote to memory of 2664	2396	Unicorn-23800.exe	41
PID 1540 wrote to memory of 2768	1540	Unicorn-8018.exe	42
PID 1540 wrote to memory of 2768	1540	Unicorn-8018.exe	42
PID 1540 wrote to memory of 2768	1540	Unicorn-8018.exe	42
PID 1540 wrote to memory of 2768	1540	Unicorn-8018.exe	42
PID 2180 wrote to memory of 1308	2180	Unicorn-3898.exe	43
PID 2180 wrote to memory of 1308	2180	Unicorn-3898.exe	43
PID 2180 wrote to memory of 1308	2180	Unicorn-3898.exe	43
PID 2180 wrote to memory of 1308	2180	Unicorn-3898.exe	43
PID 2840 wrote to memory of 1648	2840	Unicorn-16405.exe	44
PID 2840 wrote to memory of 1648	2840	Unicorn-16405.exe	44
PID 2840 wrote to memory of 1648	2840	Unicorn-16405.exe	44
PID 2840 wrote to memory of 1648	2840	Unicorn-16405.exe	44
PID 1044 wrote to memory of 2136	1044	Unicorn-26789.exe	45
PID 1044 wrote to memory of 2136	1044	Unicorn-26789.exe	45
PID 1044 wrote to memory of 2136	1044	Unicorn-26789.exe	45
PID 1044 wrote to memory of 2136	1044	Unicorn-26789.exe	45

C:\Users\Admin\AppData\Local\Temp\5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe
"C:\Users\Admin\AppData\Local\Temp\5fc55619172f4b927b21e05e15c87549d72a3e257c08712067fd693f00b14b3dN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Unicorn-16405.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-16405.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-3898.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-3898.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40349.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52767.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46169.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46169.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 224
        8⤵
        Program crash
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53081.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53081.exe
        7⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19325.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19325.exe
        8⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14005.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 224
        8⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25664.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 216
        7⤵
        Program crash
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22027.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18188.exe
        7⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13927.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13927.exe
        8⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47201.exe
        9⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51805.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51805.exe
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 224
        8⤵
        Program crash
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24679.exe
        7⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10911.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10911.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 224
        7⤵
        Program crash
        
        PID:4168
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28741.exe
        6⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30622.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30622.exe
        7⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15982.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15982.exe
        7⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46127.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46127.exe
        7⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43225.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43225.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43330.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43330.exe
        7⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64309.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64309.exe
        7⤵
        
        PID:8712
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43569.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43569.exe
        6⤵
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47914.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47914.exe
        6⤵
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47019.exe
        6⤵
        
        PID:6096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 244
        6⤵
        
        PID:7364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22817.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32132.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32132.exe
        7⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31603.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31603.exe
        8⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        8⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 224
        8⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60725.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60725.exe
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 240
        7⤵
        Program crash
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-315.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-315.exe
        6⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16144.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16144.exe
        7⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 224
        7⤵
        
        PID:7056
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26411.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26411.exe
        6⤵
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40627.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40627.exe
        6⤵
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54868.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54868.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14791.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8092
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28723.exe
        6⤵
        
        PID:7532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28214.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28214.exe
        6⤵
        
        PID:8448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16686.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16686.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:660
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54752.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54752.exe
        6⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9262.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9262.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9350.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9350.exe
        7⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 244
        7⤵
        
        PID:6264
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51104.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51104.exe
        6⤵
        
        PID:3084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 224
        6⤵
        Program crash
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11062.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11062.exe
        5⤵
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16144.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16144.exe
        6⤵
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        6⤵
        
        PID:5284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 224
        6⤵
        
        PID:7072
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55324.exe
        5⤵
        
        PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43822.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43822.exe
        5⤵
        
        PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55398.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55398.exe
        5⤵
        
        PID:6312
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10326.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10326.exe
        5⤵
        
        PID:8016
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1857.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1857.exe
        5⤵
        
        PID:7516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6659.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6659.exe
        5⤵
        
        PID:8324
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36819.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36819.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57811.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57811.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 244
        6⤵
        Program crash
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18519.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18519.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16730.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16730.exe
        6⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        7⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2464.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2464.exe
        7⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19754.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19754.exe
        7⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33381.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33381.exe
        7⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22157.exe
        7⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45287.exe
        6⤵
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36044.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36044.exe
        6⤵
        
        PID:4392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 248
        6⤵
        
        PID:6916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 240
        5⤵
        Program crash
        
        PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14732.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14732.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20645.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20645.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41566.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41566.exe
        6⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8182.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8182.exe
        7⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46958.exe
        8⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36978.exe
        8⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-818.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-818.exe
        8⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22613.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22613.exe
        8⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43138.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43138.exe
        8⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11216.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11216.exe
        8⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17471.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17471.exe
        7⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39365.exe
        7⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30804.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30804.exe
        7⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 240
        7⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12629.exe
        6⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        7⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 236
        7⤵
        Program crash
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47351.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47351.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52966.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52966.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18015.exe
        7⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57866.exe
        6⤵
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26222.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26222.exe
        6⤵
        
        PID:2540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 248
        6⤵
        
        PID:7204
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1472.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1472.exe
        5⤵
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13719.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13719.exe
        6⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        7⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 216
        7⤵
        Program crash
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30683.exe
        6⤵
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-636.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-636.exe
        6⤵
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6683.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6683.exe
        6⤵
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13947.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13947.exe
        6⤵
        
        PID:7392
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26602.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26602.exe
        6⤵
        
        PID:6396
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28282.exe
        6⤵
        
        PID:8616
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1113.exe
        5⤵
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43642.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43642.exe
        6⤵
        
        PID:4012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 236
        6⤵
        Program crash
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55821.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55821.exe
        5⤵
        
        PID:3728
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60358.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60358.exe
        5⤵
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38332.exe
        5⤵
        
        PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31857.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31857.exe
        5⤵
        
        PID:8084
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7192.exe
        5⤵
        
        PID:8044
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6543.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6543.exe
        5⤵
        
        PID:8380
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41184.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41184.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28048.exe
        5⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11353.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11353.exe
        6⤵
        
        PID:3676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 236
        6⤵
        Program crash
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52557.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52557.exe
        5⤵
        
        PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63158.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63158.exe
        5⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 228
        5⤵
        
        PID:6208
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11250.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11250.exe
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 224
        5⤵
        Program crash
        
        PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7076.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7076.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20239.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20239.exe
      4⤵
      PID:940
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33867.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33867.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6240
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4991.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-4991.exe
      4⤵
      PID:8032
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6057.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6057.exe
      4⤵
      PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64880.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64880.exe
      4⤵
      PID:8488
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8018.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8018.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56685.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56685.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36239.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53701.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53701.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49921.exe
        7⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58084.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58084.exe
        8⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34741.exe
        9⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10040.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10040.exe
        8⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17517.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17517.exe
        8⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 248
        8⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10974.exe
        7⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52023.exe
        8⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        8⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 224
        8⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46770.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46770.exe
        7⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41909.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41909.exe
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 224
        7⤵
        
        PID:7064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59796.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59796.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 228
        7⤵
        Program crash
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57569.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57569.exe
        6⤵
        
        PID:3848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 236
        6⤵
        Program crash
        
        PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47108.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47108.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24519.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24519.exe
        6⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 216
        7⤵
        Program crash
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41015.exe
        6⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47185.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47185.exe
        7⤵
        
        PID:8580
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31196.exe
        6⤵
        
        PID:4208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 248
        6⤵
        
        PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18580.exe
        5⤵
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32101.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32101.exe
        6⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6827.exe
        7⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25629.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25629.exe
        6⤵
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29022.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29022.exe
        6⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43082.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43082.exe
        6⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14850.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14850.exe
        6⤵
        
        PID:8104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15876.exe
        6⤵
        
        PID:8340
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23668.exe
        5⤵
        
        PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36564.exe
        5⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 248
        5⤵
        
        PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37945.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37945.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 240
        5⤵
        Program crash
        
        PID:792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15342.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-15342.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:624
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34161.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34161.exe
        5⤵
        
        PID:700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 220
        6⤵
        Program crash
        
        PID:4080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 248
        5⤵
        Program crash
        
        PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44093.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44093.exe
      4⤵
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54794.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3782.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3782.exe
        5⤵
        
        PID:5652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 224
        5⤵
        
        PID:7228
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17628.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17628.exe
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 236
      4⤵
      Program crash
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-58723.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-58723.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-31698.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-31698.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32212.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32212.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 224
        5⤵
        Program crash
        
        PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36002.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36002.exe
      4⤵
      PID:340
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32542.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32542.exe
        5⤵
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8774.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8774.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 244
        5⤵
        
        PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32659.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32659.exe
      4⤵
      PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56579.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56579.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63555.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63555.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5580.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5580.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7448
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43668.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43668.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7692
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60419.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60419.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:8476
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-65191.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-65191.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19496.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19496.exe
      4⤵
      PID:704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47939.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47939.exe
        5⤵
        
        PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        5⤵
        
        PID:5252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 224
        5⤵
        
        PID:7008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48473.exe
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 240
      4⤵
      Program crash
      PID:4204
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-19411.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-19411.exe
    3⤵
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7290.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7290.exe
      4⤵
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
      4⤵
      PID:5260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 244
      4⤵
      PID:7096
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-60898.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-60898.exe
    3⤵
    PID:4068
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39357.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39357.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28532.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28532.exe
    3⤵
    PID:6220
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-9191.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-9191.exe
    3⤵
    PID:8064
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43858.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43858.exe
    3⤵
    PID:8168
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-46680.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-46680.exe
    3⤵
    PID:8456
- C:\Users\Admin\AppData\Local\Temp\Unicorn-53654.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-53654.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-44028.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-44028.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26789.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26789.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11926.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11926.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64308.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22817.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54005.exe
        8⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 224
        9⤵
        Program crash
        
        PID:3356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 236
        8⤵
        Program crash
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63880.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63880.exe
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 220
        8⤵
        Program crash
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 240
        7⤵
        Program crash
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11119.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 224
        7⤵
        Program crash
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41570.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41570.exe
        6⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34021.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34021.exe
        7⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52438.exe
        7⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 244
        7⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14020.exe
        6⤵
        
        PID:3344
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13596.exe
        6⤵
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26791.exe
        6⤵
        
        PID:5968
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35090.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35090.exe
        6⤵
        
        PID:7492
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22329.exe
        6⤵
        
        PID:6616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46340.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46340.exe
        6⤵
        
        PID:8656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16046.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16046.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55105.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55105.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36709.exe
        7⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29164.exe
        8⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10632.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10632.exe
        8⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 224
        8⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 236
        7⤵
        Program crash
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63112.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63112.exe
        6⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 200
        7⤵
        Program crash
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28020.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28020.exe
        6⤵
        
        PID:3548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 248
        6⤵
        Program crash
        
        PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3858.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3858.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59241.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59241.exe
        6⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56984.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56984.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        7⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 224
        7⤵
        
        PID:7000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43834.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43834.exe
        6⤵
        
        PID:3888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 244
        6⤵
        Program crash
        
        PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9199.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9199.exe
        5⤵
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65401.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65401.exe
        6⤵
        
        PID:4592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 248
        6⤵
        
        PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34156.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34156.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 236
        5⤵
        Program crash
        
        PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4505.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-4505.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14915.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30409.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30409.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32495.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32495.exe
        7⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 224
        8⤵
        Program crash
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63169.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63169.exe
        7⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26606.exe
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 216
        8⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15825.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15825.exe
        7⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17980.exe
        7⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16954.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16954.exe
        7⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8180.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22687.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22687.exe
        7⤵
        
        PID:8792
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23018.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23018.exe
        6⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27306.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27306.exe
        7⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49423.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49423.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57668.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57668.exe
        7⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39992.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39992.exe
        7⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28192.exe
        7⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32679.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32679.exe
        7⤵
        
        PID:8460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63687.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63687.exe
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 236
        6⤵
        Program crash
        
        PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51768.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51768.exe
        5⤵
        Executes dropped EXE
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57378.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57378.exe
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 224
        7⤵
        Program crash
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28950.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28950.exe
        6⤵
        
        PID:3588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
        6⤵
        Program crash
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11367.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11367.exe
        5⤵
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1525.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1525.exe
        6⤵
        
        PID:5604
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6019.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6019.exe
        6⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27515.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27515.exe
        6⤵
        
        PID:7992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30823.exe
        6⤵
        
        PID:8812
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21690.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21690.exe
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21567.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21567.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-419.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-419.exe
        5⤵
        
        PID:7040
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25246.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25246.exe
        5⤵
        
        PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1157.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1157.exe
        5⤵
        
        PID:8704
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41458.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41458.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10180.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10180.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
        6⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25127.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25127.exe
        7⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37980.exe
        7⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-162.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-162.exe
        7⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55794.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55794.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8948
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6366.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6366.exe
        6⤵
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6552.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6552.exe
        6⤵
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62568.exe
        6⤵
        
        PID:5864
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54456.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54456.exe
        6⤵
        
        PID:7184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 228
        6⤵
        
        PID:8936
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52370.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52370.exe
        5⤵
        
        PID:576
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10217.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10217.exe
        6⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15287.exe
        6⤵
        
        PID:5712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 224
        6⤵
        
        PID:7172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53459.exe
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 248
        5⤵
        
        PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60076.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60076.exe
      4⤵
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64783.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64783.exe
        5⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 216
        6⤵
        Program crash
        
        PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12619.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12619.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-885.exe
        6⤵
        
        PID:8892
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2608.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2608.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 228
        5⤵
        
        PID:5812
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2184.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2184.exe
      4⤵
      PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53481.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38265.exe
        5⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 224
        5⤵
        
        PID:5816
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19079.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19079.exe
      4⤵
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17352.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17352.exe
        5⤵
        
        PID:8592
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-338.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-338.exe
      4⤵
      PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5222.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5222.exe
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8081.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8081.exe
      4⤵
      PID:7244
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58252.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58252.exe
      4⤵
      PID:7788
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48077.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-48077.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:8236
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-27727.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-27727.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19711.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-19711.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60032.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60032.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64425.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64425.exe
        6⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 244
        7⤵
        Program crash
        
        PID:2488
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56786.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56786.exe
        6⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60907.exe
        7⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15560.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15560.exe
        8⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4429.exe
        8⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39187.exe
        8⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45536.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45536.exe
        7⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27740.exe
        7⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 228
        7⤵
        
        PID:7196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-21528.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21528.exe
        6⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23119.exe
        7⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44948.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44948.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14407.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14407.exe
        7⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28188.exe
        6⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24940.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24940.exe
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17881.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17881.exe
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15380.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15380.exe
        6⤵
        
        PID:8052
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11411.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11411.exe
        6⤵
        
        PID:8232
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28415.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28415.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 244
        6⤵
        Program crash
        
        PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-568.exe
        5⤵
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12921.exe
        6⤵
        
        PID:6524
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24335.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24335.exe
        6⤵
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49929.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49929.exe
        6⤵
        
        PID:8960
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59324.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59324.exe
        5⤵
        
        PID:4420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 244
        5⤵
        Program crash
        
        PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8454.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8454.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8317.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8317.exe
        5⤵
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18183.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18183.exe
        6⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54997.exe
        7⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56346.exe
        7⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28641.exe
        7⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41077.exe
        7⤵
        
        PID:8300
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59075.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59075.exe
        6⤵
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22888.exe
        6⤵
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6351.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6351.exe
        6⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58732.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58732.exe
        6⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30977.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30977.exe
        6⤵
        
        PID:8928
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27673.exe
        5⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14325.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14325.exe
        6⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3230.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3230.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34827.exe
        6⤵
        
        PID:8820
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13578.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13578.exe
        5⤵
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33606.exe
        5⤵
        
        PID:5208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 240
        5⤵
        
        PID:6184
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58980.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58980.exe
      4⤵
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32106.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32106.exe
        5⤵
        
        PID:1844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 224
        6⤵
        Program crash
        
        PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11877.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11877.exe
        5⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60869.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60869.exe
        6⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53822.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53822.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55523.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55523.exe
        6⤵
        
        PID:8776
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26790.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26790.exe
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 248
        5⤵
        
        PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64513.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64513.exe
      4⤵
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59091.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59091.exe
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15287.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15287.exe
        5⤵
        
        PID:5772
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37217.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37217.exe
        5⤵
        
        PID:6860
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23516.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23516.exe
        5⤵
        
        PID:7180
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32411.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32411.exe
        5⤵
        
        PID:8368
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22864.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22864.exe
      4⤵
      PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16708.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16708.exe
      4⤵
      PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17484.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17484.exe
      4⤵
      PID:7032
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3715.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3715.exe
      4⤵
      PID:7904
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61359.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61359.exe
      4⤵
      PID:8764
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38085.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38085.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42277.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-42277.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19667.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19667.exe
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 220
        6⤵
        Program crash
        
        PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7466.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7466.exe
        5⤵
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41425.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41425.exe
        6⤵
        
        PID:8844
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3.exe
        5⤵
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3154.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3154.exe
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 224
        5⤵
        
        PID:7220
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4077.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-4077.exe
      4⤵
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 220
        5⤵
        Program crash
        
        PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26354.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26354.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63537.exe
        5⤵
        
        PID:8416
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8473.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8473.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 224
      4⤵
      PID:5792
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-42204.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-42204.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50663.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50663.exe
      4⤵
      PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20135.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20135.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28450.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28450.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64241.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64241.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37616.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37616.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8972
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51099.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51099.exe
      4⤵
      PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40512.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40512.exe
      4⤵
      PID:5576
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25620.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25620.exe
      4⤵
      PID:6864
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24715.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24715.exe
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5622.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5622.exe
      4⤵
      PID:8756
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8567.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8567.exe
    3⤵
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55765.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55765.exe
      4⤵
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39576.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39576.exe
      4⤵
      PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54298.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54298.exe
      4⤵
      PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32525.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32525.exe
      4⤵
      PID:8740
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-62027.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-62027.exe
    3⤵
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59046.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59046.exe
    3⤵
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61491.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61491.exe
    3⤵
    PID:6908
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-63917.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-63917.exe
    3⤵
    PID:7780
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-22.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-22.exe
    3⤵
    PID:8732
- C:\Users\Admin\AppData\Local\Temp\Unicorn-5417.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-5417.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-63929.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-63929.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56659.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56659.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44272.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44272.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48582.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48582.exe
        6⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59220.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59220.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44358.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44358.exe
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 224
        9⤵
        Program crash
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6693.exe
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 244
        8⤵
        Program crash
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12048.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12048.exe
        7⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55334.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55334.exe
        8⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24778.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24778.exe
        8⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 224
        8⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 220
        7⤵
        Program crash
        
        PID:3892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 248
        6⤵
        Program crash
        
        PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-320.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-320.exe
        5⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36579.exe
        6⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7077.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7077.exe
        7⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10030.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10030.exe
        8⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 244
        8⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18753.exe
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 244
        7⤵
        Program crash
        
        PID:4308
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33615.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33615.exe
        6⤵
        
        PID:3880
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52001.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52001.exe
        6⤵
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34888.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34888.exe
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 244
        6⤵
        
        PID:7212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36754.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36754.exe
        5⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28266.exe
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 236
        6⤵
        Program crash
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4015.exe
        5⤵
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49201.exe
        5⤵
        
        PID:4448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9687.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9687.exe
        5⤵
        
        PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34947.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34947.exe
        5⤵
        
        PID:6588
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59386.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59386.exe
        5⤵
        
        PID:8024
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6076.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6076.exe
        5⤵
        
        PID:8260
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-779.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-779.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32438.exe
        5⤵
        
        PID:2140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 244
        6⤵
        Program crash
        
        PID:2276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 248
        5⤵
        Program crash
        
        PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35436.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35436.exe
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 220
        5⤵
        Program crash
        
        PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30523.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30523.exe
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58141.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58141.exe
        5⤵
        
        PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7321.exe
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 244
        5⤵
        
        PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25775.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25775.exe
      4⤵
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31378.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31378.exe
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64085.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64085.exe
      4⤵
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1115.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1115.exe
      4⤵
      PID:7432
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16802.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16802.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7540
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59285.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59285.exe
      4⤵
      PID:8540
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-65382.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-65382.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5520.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5520.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16289.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16289.exe
        5⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26559.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26559.exe
        6⤵
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        6⤵
        
        PID:5212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 244
        6⤵
        
        PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40.exe
        5⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 224
        5⤵
        Program crash
        
        PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38607.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38607.exe
      4⤵
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65152.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65152.exe
        5⤵
        
        PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22308.exe
        5⤵
        
        PID:5268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 244
        5⤵
        
        PID:7088
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63900.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63900.exe
      4⤵
      PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28951.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28951.exe
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 244
      4⤵
      PID:6292
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-36147.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-36147.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28930.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28930.exe
      4⤵
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33580.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33580.exe
        5⤵
        
        PID:3268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38142.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38142.exe
        6⤵
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19815.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19815.exe
        6⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-42285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42285.exe
        6⤵
        
        PID:7320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12488.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12488.exe
        6⤵
        
        PID:9208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 236
        5⤵
        Program crash
        
        PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54555.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-54555.exe
      4⤵
      PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20787.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20787.exe
        5⤵
        
        PID:7504
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58508.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58508.exe
        5⤵
        
        PID:8220
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23775.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23775.exe
      4⤵
      PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23383.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23383.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34416.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-34416.exe
      4⤵
      PID:7016
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63852.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63852.exe
      4⤵
      PID:8156
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32942.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32942.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:8348
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-4352.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-4352.exe
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39584.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-39584.exe
      4⤵
      PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25328.exe
        5⤵
        
        PID:8500
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55889.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55889.exe
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 224
      4⤵
      PID:5800
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-33009.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-33009.exe
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17912.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17912.exe
      4⤵
      PID:8672
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-4440.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-4440.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11163.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11163.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-13416.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-13416.exe
    3⤵
    PID:7052
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54051.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54051.exe
    3⤵
    PID:8008
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-10276.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-10276.exe
    3⤵
    PID:8288
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22632.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22632.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-19903.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-19903.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46361.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46361.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 240
        5⤵
        Program crash
        
        PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45873.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45873.exe
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 224
        5⤵
        Program crash
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25088.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25088.exe
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 236
      4⤵
      Program crash
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2951.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2951.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58089.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58089.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37332.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37332.exe
        5⤵
        
        PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51665.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51665.exe
        5⤵
        
        PID:5380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 244
        5⤵
        
        PID:6968
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14477.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14477.exe
      4⤵
      PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23085.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23085.exe
      4⤵
      PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63533.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63533.exe
      4⤵
      PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31326.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31326.exe
      4⤵
      PID:8076
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11657.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11657.exe
      4⤵
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49745.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49745.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:8428
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-48451.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-48451.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-959.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-959.exe
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 236
      4⤵
      Program crash
      PID:4444
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-14233.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-14233.exe
    3⤵
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-33243.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-33243.exe
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 248
    3⤵
    PID:7080
- C:\Users\Admin\AppData\Local\Temp\Unicorn-23224.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-23224.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54337.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54337.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11685.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-11685.exe
      4⤵
      PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8738.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8738.exe
        5⤵
        
        PID:4280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 228
        5⤵
        
        PID:5836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 228
      4⤵
      Program crash
      PID:3604
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-44913.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-44913.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18583.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18583.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 236
      4⤵
      Program crash
      PID:5152
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-33064.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-33064.exe
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 236
    3⤵
    - Program crash
    PID:5128
- C:\Users\Admin\AppData\Local\Temp\Unicorn-49483.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-49483.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-64778.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-64778.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 244
      4⤵
      Program crash
      PID:4848
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11929.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11929.exe
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 224
    3⤵
    - Program crash
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\Unicorn-48018.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-48018.exe
  2⤵
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29906.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29906.exe
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 216
    3⤵
    PID:5612
- C:\Users\Admin\AppData\Local\Temp\Unicorn-1288.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-1288.exe
  2⤵
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\Unicorn-6908.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-6908.exe
  2⤵
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\Unicorn-60356.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-60356.exe
  2⤵
  PID:6944
- C:\Users\Admin\AppData\Local\Temp\Unicorn-40381.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-40381.exe
  2⤵
  PID:7928
- C:\Users\Admin\AppData\Local\Temp\Unicorn-19622.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-19622.exe
  2⤵
  PID:8720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe

Filesize
468KB

MD5
5003b24017d034d6f93a7bb56ef4a212

SHA1
5f7d73a7a6b4c78910f45b052729a38217103667

SHA256
6ec00e6229a88bd438c9718ac1b7c8851bfef87a3b83853b08e41757602b351b

SHA512
a04ed1f7b9b837899adfb08425e881a340b9af4de311c6f547f4a5940879a492e3a881a58eab152572e1ac9c4f3449022dd9c1eae82b01345099322f2ab40ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-19622.exe

Filesize
468KB

MD5
5c46d4b98ae2ebf43dcc65c93955b7fa

SHA1
2b386fa69cf10506f401b1e36ce312e8d789071a

SHA256
a8ebbff5ad3fd94ab5cac0636561cfd06d48b9237648e0ed2edba80a09d49927

SHA512
ea526c509b472ec829dcd257ffcec50af6ff48267cb8492654068eeddb0df8fc5d8181036055b2c1be65b4a7230b1eaa7347f43120833ead129f448dd2aca2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-23800.exe

Filesize
468KB

MD5
85f3f2bdea20d6c9ff15cecd719a3ed6

SHA1
87c9c6b49567a2cf629601d513449433bad71589

SHA256
b3ae0777f5015c21ae493c2964828fc9bc193c3c43aac16bf1226e1cb96fd07f

SHA512
d53687008f4c32dd6917c95e8b76c6fd15820e55ecb63e4dc5bf6bec311d36e218ca68edc54b613ddebdfabd966fa701c37d8ce5fd8afa3d3bf074eb945e329f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-27727.exe

Filesize
468KB

MD5
797af90190c92cd88d99587df8e29336

SHA1
3a4d004ed46a2e96b04acc5ccba87d50361f55e3

SHA256
a96351c87b3cef3590fe65865ff94cdf7c53d4480ea89790aa0918fde120705b

SHA512
3a556e590ebbf92b56f79413aadff06e2343031297bfeb65189278c8c6c2c1d72e73959e2db7198352fd9742126f958f0fe619e531adce58bca5fa197875c0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-36819.exe

Filesize
468KB

MD5
1835b785cb5a2362bb63e1d32c4a9120

SHA1
8fefe0d15e3e3a2930a747b82de982e85f63f217

SHA256
58d7ab8d96df597e3748983dcf4c39638dce3ddaac86523e339e9a05c2795f5e

SHA512
b777b1e0d76b755446d266a0a781abc99c80bfadd1438cce032eeae2b852c486a0cf8fa5e7a83b201a873db2f8f98b937652859db6f589067daab62b9a10bc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-3898.exe

Filesize
468KB

MD5
817402a8c5efdc57dd200af43471b578

SHA1
4fc79156adab67ea3e311f8f99fd19ebaeb7e625

SHA256
84fa20fd83feb2e37bf0be6bdf5140026d9f442214a235c30e448f758c7d55c7

SHA512
48fce69edf42ef1d357d445a0a8f53544c44c28c40f65be65342d4a04477fd4319722fbf2a07a82843d66736e76bd6a0a7421c3be9edd97085fefa228fbf848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39357.exe

Filesize
468KB

MD5
986144b6c16ff262f16da0d4846f9207

SHA1
5e5ad0602a41e6834809f070606190278903b628

SHA256
e62bfdf12ebf9610dfc50155da368bf38b72c2390714880cbc49d7176f5d95c3

SHA512
2b1e3cc62f63a9e0d84320380345913cc9b59e049912668bd7715632808cdfc2da1971b4f798e9763c1e959f05f8b736ba29e0503ac4874cd7dab2b96ef07c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-40349.exe

Filesize
468KB

MD5
5842911b120ae79664f2ad3f5e08fd05

SHA1
fceacd0c8f0d21d8360874c3ff6ade36e784dca9

SHA256
0fb7438e9dcc6ac44f7e3937385013b27974ce0cb45921ed26dd9aa12f792799

SHA512
6e4137980be0d04f7e9f3254e7e304e9d082f11c7777acb2c805ccc9057fb35b0065cdcd9f396dfe2db4ef563855f8e769214fc4462c63b0c22be8aeea50694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-4505.exe

Filesize
468KB

MD5
554c3297b252752fa1dc03b20f473125

SHA1
c0214ae5e1218fdd9fe60ca54234fc71cb1daf1c

SHA256
932d1190a5b5a359b76a7f354841de6918d6f635b690023e12f1579984cbb117

SHA512
b70ab4abd49575480c75d0e115c3595a6cb9a99b4c31b16c07d7f14479c1a4a33cb73db44e93ad2e557491d01278fe1f86f93db3091546c4ac0f3ebc70d77194

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-53654.exe

Filesize
468KB

MD5
64b39a5f71c0560ada601d8703ac5db7

SHA1
f11ff05775088967bd78d8001dd4dffcf6077a10

SHA256
8d21a3073b076d4e45f37d0f453dccb2febd964f4df8088314052784f9dbe890

SHA512
38434d511844c14dbf794d7dafcef15510697c1a8c6e22a99b191f934c717d762d70f67bd52fda79053fbcb499c3b21487ed53826bda69ebb756d19e3a4893fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-5520.exe

Filesize
468KB

MD5
1e0b0e60a0e6e60230b5582e06e28750

SHA1
5b6e3a8b46ef34265dec9f691c2acc032bb29559

SHA256
71e391369cc927b025b105add58024182ab6bf66f4e9a7895a3c9d5b480d7189

SHA512
343a177d928df8a4850b534f6d2fb77a348ce90b8f7531b73af0e03a593dc26ee4d692118e8b5b9006f478880486e28d153c3f08b9209eb2fa657bdff17fd897

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-11926.exe

Filesize
468KB

MD5
fcadbef7389836c6d49abdff8775877f

SHA1
5d01c94eacf4828c3d3dc998c2962cf86a3dc6cb

SHA256
cd0f021090634bb1e4510a69e2c317aefc0b4a67a9a6ef5b2f457a1879fe76e5

SHA512
260e21a3748a5568b7227c96300d3daeda9c7b9ba354c8f750cadfac2b7ede1257cfb8a59c8eead6380233b42726b5053dd681e5bea40db3163c7c05573aa53e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-16405.exe

Filesize
468KB

MD5
5baf529c8d95d0362a24f46caf41827f

SHA1
2f7431b72699caebba61bca5a166ecbc3f9df73b

SHA256
d1c3ab142e778dbd7e7bf492484e5f5b154a3c1f627cf171fae2c9f58c1e6afe

SHA512
f476601093db0f2a1be4d04e03018c3d07e57d76cca644b5dfc0bd79c9ea1514029b2cced1463a09c301879c04b3f29cf70788f71f5759aff26555e5f0f47da9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-22632.exe

Filesize
468KB

MD5
dc79b7065e2bb4f89d48a3a7b4f6321c

SHA1
af3ef1656cbac97973ae0fe7a11eddc3840178b4

SHA256
9a6db808307fab3f9c1c4c988a14196e2d10746978bc9511fd3ea62f4b48d413

SHA512
6449be6dea3b642be679bb9e044d6d31b7d26b60f41df65262c1f5a85e0ad0848e1156303b33a219254deee1ba5eeae6dcbbaab7a8687ef4a4d6ec0f36ca8bb9

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-26789.exe

Filesize
468KB

MD5
dc8d4e5635f5585ea9d06d9a3f657357

SHA1
f96843e3162a815ae50f6c26060563ece05f1ca3

SHA256
bce00d8c8aead5ea4c441b4c07d09cf6f85ff67248e7c45a314a4b11daf21d4e

SHA512
69123d9cda6a95facf9875d0219f8ad9deab43751ae2180903152a3f6f4aa20f6853bdd7f21fedc70a4bd65336382807cebe7d67ce970f6f672213d621f40a1b

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-44028.exe

Filesize
468KB

MD5
f00bfc0858fe840e1e42c953c510a0fa

SHA1
228cd6f5b5c91a46812f2f3c3159d1695271953a

SHA256
c5a063ffcfc1511eaf995748779d070c86ea35eae905c225c87b7b4a56f72a36

SHA512
725bd6033b7c75d8b89dff0f60063af70609a028c39d1bf6450701566fc216001704116775cee463bb83cba6d592f41d7240dd883f1959646bcab3dd3b8f1f32

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-5417.exe

Filesize
468KB

MD5
102ecd2931b207b5eb4086a7b8362a34

SHA1
9e889a9685605eacf08f83a7eda027ccca04eb8c

SHA256
270f07a1c6e04ec7bea113a6f5501a9a76b9daa885522b7b478ed8186f5edfa0

SHA512
5393297eba9a1c9343fc0f29f9de79ae6ed8e545318c757dde13e71511aa593a7caaf3b28eb1338bd2d1134827153af009a4a201badbb1738eaf3acd9b9fccc4

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-56659.exe

Filesize
468KB

MD5
d491f7bddebfd0edf2fd1f211260be79

SHA1
2f70c81cf105dfe5057828708e5a076cf1708343

SHA256
56f0f95ee50ceff5b494ca2f8342202ca946652aecdc62f233a315d916012e04

SHA512
5f4eb7e6050018866e0fbae6a40605dd06c228171666bb21a97769942696e36c12bf05ef49280e83046add1ec461ae4086b6a0f1891dde1ca9d891aefaa79e93

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-56685.exe

Filesize
468KB

MD5
be524af78dd3a5cae0f973c4c9d266fa

SHA1
79063d12d754b908946b116ee79d75ee5907325b

SHA256
77ed9e5a1bcb7ea88d0e5e9ebe13305689c43492a3e69b010baa91921ced3fdb

SHA512
08c285500bda1042630338577fc6866c93523bd59fb82c578f9fac780c952f54e0d1e813f0bea88ac40d31ff44023b3f51d61df58977266fac0fe301358f284d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-58723.exe

Filesize
468KB

MD5
0799b00b444c73ed1b9474c52ef8a5fa

SHA1
4c788a3eb7ddc802030a438080593708fc347d3c

SHA256
7e94b1321d918a1761fce05781d9e3d02a5260ed4d77678975be909c97ca3121

SHA512
2e8a075d16c7533a013e68a0b196ec2a07a66ea554162465161730ce17d19fb615dccf00ecaf734ee2e67bde78a0694c3afb93136ba53db9338814cf444b2173

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-63929.exe

Filesize
468KB

MD5
1c3c6c87446af5c6fb2c268ffc7d10a0

SHA1
6aa836ad3643e4a45ff6e0e65f758ca1128503b7

SHA256
4261632500121d0ee4ff3a5759076fa25ed6ea77c8b746de848185f45fc53291

SHA512
c44c00ca5951104beabce67e949c9f578ab2275fcb263e2d8a9a957a59f889ac13ba5d744941656116977a8464c6da66a232212ae3b7ac86b3a7a269665fe6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-8018.exe

Filesize
468KB

MD5
31e63357e327584a05d8142b3e154df8

SHA1
fcb31a81d52efeca247bfd956488e43389d2ef9d

SHA256
522b60ae4198c62180e4393496106d40e28a56215dff5da210a5b3d03f84fe7c

SHA512
5153a5d5eb03fb51ca26e5aa6da6fbb5fef59616181d2380d3f557896c3c1900fe7678b1cb9212f223530fe9f3e44df3b21655e3bcd349da8710cf6c04182e66

Download Submit