90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe
Size

468KB
MD5

963142e3208fb65d92637ea8d49c8fe2
SHA1

a98c082e52c9a78396dda71c95d220aa931b38bf
SHA256

90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913
SHA512

6f88ff181b11578c07e372005099a0f30c198ac39ff87ceaf780781b0b897059f37544498ebb2e4b4464f2bcd183aafffcc473e52ec08ba96e048270b6888b47
SSDEEP

3072:1GGiogISIE5TtbY2HzcOqf8/zCcaP0pMJVHeTVaXn7nLR7qgAklue:1GvobMTtxH4OqfVYNSn7LVqgAw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
3964	Unicorn-22783.exe
3256	Unicorn-10180.exe
2632	Unicorn-6651.exe
5008	Unicorn-2972.exe
428	Unicorn-27477.exe
2272	Unicorn-50590.exe
716	Unicorn-9094.exe
1972	Unicorn-33289.exe
1068	Unicorn-37927.exe
4172	Unicorn-23537.exe
4720	Unicorn-43403.exe
4840	Unicorn-31151.exe
2500	Unicorn-35235.exe
2044	Unicorn-24664.exe
4056	Unicorn-18798.exe
4424	Unicorn-48639.exe
2364	Unicorn-32857.exe
5000	Unicorn-3522.exe
1500	Unicorn-28694.exe
4776	Unicorn-12074.exe
668	Unicorn-57859.exe
4396	Unicorn-41431.exe
4824	Unicorn-33263.exe
2688	Unicorn-6620.exe
4836	Unicorn-12650.exe
2276	Unicorn-12650.exe
2648	Unicorn-3720.exe
1968	Unicorn-58322.exe
3020	Unicorn-39028.exe
1396	Unicorn-39847.exe
3096	Unicorn-58322.exe
2476	Unicorn-52277.exe
1820	Unicorn-9298.exe
3676	Unicorn-29719.exe
3284	Unicorn-50231.exe
2112	Unicorn-40579.exe
3720	Unicorn-26189.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4328	2276	WerFault.exe	124
5672	4836	WerFault.exe	123
5616	1948	WerFault.exe	147
5780	4836	WerFault.exe	123
5508	2276	WerFault.exe	124
4328	860	WerFault.exe	162
5848	2680	WerFault.exe	153
5508	932	WerFault.exe	156
5784	1396	WerFault.exe	128
6204	6128	WerFault.exe	200
7908	1988	WerFault.exe	167
7404	1960	WerFault.exe	171
7900	6056	WerFault.exe	196
7744	3708	WerFault.exe	170
7176	1820	WerFault.exe	130
2268	3236	WerFault.exe	217
9632	6404	WerFault.exe	259
9584	5916	WerFault.exe	214
2388	5780	WerFault.exe	247
6268	7132	WerFault.exe	288
10616	7044	WerFault.exe
10600	5304	WerFault.exe	186
10592	5364	WerFault.exe	188
11108	6700	WerFault.exe	266
7980	6148	WerFault.exe	313
11240	7256	WerFault.exe
3804	5132	WerFault.exe	177
1496	5860	WerFault.exe	194
4236	1868	WerFault.exe	169
7440	6092	WerFault.exe	198
12056	8504	WerFault.exe	433
12040	5700	WerFault.exe	414
12036	2616	WerFault.exe	393
12028	5640	WerFault.exe	421
12020	7004	WerFault.exe	410
12012	6620	WerFault.exe	411
12004	404	WerFault.exe	413
11996	7128	WerFault.exe
11988	8176	WerFault.exe	350
11980	7796	WerFault.exe
11972	7244	WerFault.exe	378
11448	208	WerFault.exe	149
11336	5192	WerFault.exe	180
8752	2352	WerFault.exe	148
5360	2500	WerFault.exe	110
2488	4172	WerFault.exe	107
2140	6888	WerFault.exe
3164	1572	WerFault.exe	296
11116	7356	WerFault.exe	325
11232	988	WerFault.exe	300
12488	6840	WerFault.exe	407
12480	6244	WerFault.exe
12472	7876	WerFault.exe	422
12188	7800	WerFault.exe	403
12092	6828	WerFault.exe
11224	6736	WerFault.exe	306
11208	5752	WerFault.exe	299
11196	7100	WerFault.exe
11188	5824	WerFault.exe	390
11180	4056	WerFault.exe	112
13384	7008	WerFault.exe
13348	4980	WerFault.exe
13332	6044	WerFault.exe	216
11584	2112	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27477.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39847.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-33289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52277.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29719.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6620.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23537.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-32857.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22783.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-28694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-39028.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-31151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-18798.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3522.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41431.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9298.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe
3964	Unicorn-22783.exe
2632	Unicorn-6651.exe
3256	Unicorn-10180.exe
5008	Unicorn-2972.exe
428	Unicorn-27477.exe
716	Unicorn-9094.exe
2272	Unicorn-50590.exe
1972	Unicorn-33289.exe
1068	Unicorn-37927.exe
4172	Unicorn-23537.exe
4720	Unicorn-43403.exe
2500	Unicorn-35235.exe
4840	Unicorn-31151.exe
2044	Unicorn-24664.exe
4056	Unicorn-18798.exe
4424	Unicorn-48639.exe
2364	Unicorn-32857.exe
5000	Unicorn-3522.exe
1500	Unicorn-28694.exe
4776	Unicorn-12074.exe
668	Unicorn-57859.exe
4396	Unicorn-41431.exe
4824	Unicorn-33263.exe
2648	Unicorn-3720.exe
4836	Unicorn-12650.exe
1968	Unicorn-58322.exe
2688	Unicorn-6620.exe
3020	Unicorn-39028.exe
3096	Unicorn-58322.exe
1396	Unicorn-39847.exe
2276	Unicorn-12650.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 3964	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	86
PID 3248 wrote to memory of 3964	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	86
PID 3248 wrote to memory of 3964	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	86
PID 3964 wrote to memory of 3256	3964	Unicorn-22783.exe	93
PID 3964 wrote to memory of 3256	3964	Unicorn-22783.exe	93
PID 3964 wrote to memory of 3256	3964	Unicorn-22783.exe	93
PID 3248 wrote to memory of 2632	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	94
PID 3248 wrote to memory of 2632	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	94
PID 3248 wrote to memory of 2632	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	94
PID 2632 wrote to memory of 5008	2632	Unicorn-6651.exe	97
PID 2632 wrote to memory of 5008	2632	Unicorn-6651.exe	97
PID 2632 wrote to memory of 5008	2632	Unicorn-6651.exe	97
PID 3256 wrote to memory of 428	3256	Unicorn-10180.exe	98
PID 3256 wrote to memory of 428	3256	Unicorn-10180.exe	98
PID 3256 wrote to memory of 428	3256	Unicorn-10180.exe	98
PID 3964 wrote to memory of 2272	3964	Unicorn-22783.exe	99
PID 3964 wrote to memory of 2272	3964	Unicorn-22783.exe	99
PID 3964 wrote to memory of 2272	3964	Unicorn-22783.exe	99
PID 3248 wrote to memory of 716	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	100
PID 3248 wrote to memory of 716	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	100
PID 3248 wrote to memory of 716	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	100
PID 5008 wrote to memory of 1972	5008	Unicorn-2972.exe	105
PID 5008 wrote to memory of 1972	5008	Unicorn-2972.exe	105
PID 5008 wrote to memory of 1972	5008	Unicorn-2972.exe	105
PID 2632 wrote to memory of 1068	2632	Unicorn-6651.exe	106
PID 2632 wrote to memory of 1068	2632	Unicorn-6651.exe	106
PID 2632 wrote to memory of 1068	2632	Unicorn-6651.exe	106
PID 3256 wrote to memory of 4172	3256	Unicorn-10180.exe	107
PID 3256 wrote to memory of 4172	3256	Unicorn-10180.exe	107
PID 3256 wrote to memory of 4172	3256	Unicorn-10180.exe	107
PID 428 wrote to memory of 4720	428	Unicorn-27477.exe	108
PID 428 wrote to memory of 4720	428	Unicorn-27477.exe	108
PID 428 wrote to memory of 4720	428	Unicorn-27477.exe	108
PID 716 wrote to memory of 4840	716	Unicorn-9094.exe	109
PID 716 wrote to memory of 4840	716	Unicorn-9094.exe	109
PID 716 wrote to memory of 4840	716	Unicorn-9094.exe	109
PID 2272 wrote to memory of 2500	2272	Unicorn-50590.exe	110
PID 2272 wrote to memory of 2500	2272	Unicorn-50590.exe	110
PID 2272 wrote to memory of 2500	2272	Unicorn-50590.exe	110
PID 3248 wrote to memory of 2044	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	111
PID 3248 wrote to memory of 2044	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	111
PID 3248 wrote to memory of 2044	3248	90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe	111
PID 3964 wrote to memory of 4056	3964	Unicorn-22783.exe	112
PID 3964 wrote to memory of 4056	3964	Unicorn-22783.exe	112
PID 3964 wrote to memory of 4056	3964	Unicorn-22783.exe	112
PID 1972 wrote to memory of 4424	1972	Unicorn-33289.exe	113
PID 1972 wrote to memory of 4424	1972	Unicorn-33289.exe	113
PID 1972 wrote to memory of 4424	1972	Unicorn-33289.exe	113
PID 5008 wrote to memory of 2364	5008	Unicorn-2972.exe	114
PID 5008 wrote to memory of 2364	5008	Unicorn-2972.exe	114
PID 5008 wrote to memory of 2364	5008	Unicorn-2972.exe	114
PID 1068 wrote to memory of 5000	1068	Unicorn-37927.exe	115
PID 1068 wrote to memory of 5000	1068	Unicorn-37927.exe	115
PID 1068 wrote to memory of 5000	1068	Unicorn-37927.exe	115
PID 2632 wrote to memory of 1500	2632	Unicorn-6651.exe	116
PID 2632 wrote to memory of 1500	2632	Unicorn-6651.exe	116
PID 2632 wrote to memory of 1500	2632	Unicorn-6651.exe	116
PID 4172 wrote to memory of 4776	4172	Unicorn-23537.exe	117
PID 4172 wrote to memory of 4776	4172	Unicorn-23537.exe	117
PID 4172 wrote to memory of 4776	4172	Unicorn-23537.exe	117
PID 3256 wrote to memory of 668	3256	Unicorn-10180.exe	118
PID 3256 wrote to memory of 668	3256	Unicorn-10180.exe	118
PID 3256 wrote to memory of 668	3256	Unicorn-10180.exe	118
PID 2500 wrote to memory of 4396	2500	Unicorn-35235.exe	119

C:\Users\Admin\AppData\Local\Temp\90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe
"C:\Users\Admin\AppData\Local\Temp\90fea212664729d65f19e9241fc71dcef3b146c07064f7da9d55176329186913.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22783.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22783.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-10180.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-10180.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27477.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27477.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43403.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43403.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33263.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33263.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10066.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10066.exe
        7⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60227.exe
        8⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26921.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26921.exe
        9⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 632
        10⤵
        Program crash
        
        PID:12040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 656
        9⤵
        Program crash
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5245.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5245.exe
        8⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40657.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40657.exe
        8⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 636
        9⤵
        Program crash
        
        PID:12004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27898.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27898.exe
        8⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6205.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6205.exe
        8⤵
        
        PID:14376
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51244.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51244.exe
        7⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18980.exe
        7⤵
        
        PID:5928
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-315.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-315.exe
        6⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25993.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25993.exe
        7⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31203.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31203.exe
        8⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 664
        8⤵
        Program crash
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-201.exe
        7⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10865.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10865.exe
        7⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9456 -s 644
        8⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15516.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15516.exe
        7⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55058.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55058.exe
        7⤵
        
        PID:14232
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29976.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29976.exe
        6⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-416.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-416.exe
        6⤵
        
        PID:12180
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50146.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50146.exe
        6⤵
        
        PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58322.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8504.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8504.exe
        6⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        7⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 632
        8⤵
        Program crash
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8457.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8457.exe
        6⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10777.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10777.exe
        7⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 644
        8⤵
        Program crash
        
        PID:12488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 660
        7⤵
        Program crash
        
        PID:7440
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47299.exe
        5⤵
        
        PID:3396
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50855.exe
        6⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17519.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17519.exe
        7⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22231.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22231.exe
        8⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45614.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45614.exe
        8⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11342.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11342.exe
        8⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55125.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55125.exe
        7⤵
        
        PID:9440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18879.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18879.exe
        8⤵
        
        PID:14076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28857.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28857.exe
        8⤵
        
        PID:12692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42531.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42531.exe
        8⤵
        
        PID:16292
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36564.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36564.exe
        7⤵
        
        PID:11688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37130.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37130.exe
        7⤵
        
        PID:14388
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64342.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64342.exe
        6⤵
        
        PID:7500
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40823.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40823.exe
        6⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2184.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2184.exe
        7⤵
        
        PID:13240
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52770.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52770.exe
        6⤵
        
        PID:11040
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49383.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49383.exe
        6⤵
        
        PID:14528
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51742.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51742.exe
        5⤵
        
        PID:5332
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55215.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55215.exe
        5⤵
        
        PID:2616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 632
        6⤵
        Program crash
        
        PID:12036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 768
        5⤵
        
        PID:13192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 768
        5⤵
        
        PID:16300
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23537.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23537.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12074.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52661.exe
        6⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60227.exe
        7⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-201.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-201.exe
        7⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47311.exe
        8⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61577.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61577.exe
        9⤵
        
        PID:15248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8437.exe
        9⤵
        
        PID:13820
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37508.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37508.exe
        7⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53627.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53627.exe
        8⤵
        
        PID:15272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50903.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50903.exe
        7⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41015.exe
        7⤵
        
        PID:14368
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26739.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26739.exe
        6⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60013.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60013.exe
        6⤵
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55074.exe
        6⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8452 -s 632
        7⤵
        
        PID:12236
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15760.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15760.exe
        6⤵
        
        PID:10120
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40963.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40963.exe
        5⤵
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60419.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60419.exe
        6⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 624
        7⤵
        Program crash
        
        PID:7908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17689.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17689.exe
        6⤵
        
        PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23370.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23370.exe
        5⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26537.exe
        6⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 640
        7⤵
        Program crash
        
        PID:12012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 640
        7⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48711.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48711.exe
        6⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10196 -s 636
        7⤵
        
        PID:14576
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61369.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61369.exe
        6⤵
        
        PID:11484
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59656.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59656.exe
        5⤵
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60933.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60933.exe
        6⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49631.exe
        7⤵
        
        PID:9828
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33169.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33169.exe
        6⤵
        
        PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56907.exe
        5⤵
        
        PID:8204
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32615.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32615.exe
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50352.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50352.exe
        6⤵
        
        PID:13492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 716
        5⤵
        Program crash
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57859.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-57859.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18235.exe
        5⤵
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54773.exe
        6⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51753.exe
        7⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 684
        7⤵
        Program crash
        
        PID:11336
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28685.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28685.exe
        5⤵
        
        PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57875.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57875.exe
        5⤵
        
        PID:5752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 640
        6⤵
        Program crash
        
        PID:11208
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11363.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11363.exe
        5⤵
        
        PID:11032
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19186.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19186.exe
        5⤵
        
        PID:14348
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62894.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62894.exe
      4⤵
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46413.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46413.exe
        5⤵
        
        PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31260.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31260.exe
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20065.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-20065.exe
      4⤵
      PID:6412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51395.exe
        5⤵
        
        PID:10016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33591.exe
        6⤵
        
        PID:15604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 628
        5⤵
        
        PID:13268
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24764.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24764.exe
      4⤵
      PID:7876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 632
        5⤵
        Program crash
        
        PID:12472
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56212.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-56212.exe
      4⤵
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11800.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11800.exe
        5⤵
        
        PID:15704
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55423.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55423.exe
      4⤵
      PID:12324
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49011.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49011.exe
      4⤵
      PID:6424
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-50590.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-50590.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35235.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35235.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41431.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41431.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51483.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51483.exe
        6⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51073.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51073.exe
        7⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54830.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54830.exe
        7⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 636
        8⤵
        Program crash
        
        PID:11224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16920.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16920.exe
        7⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31349.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31349.exe
        8⤵
        
        PID:12628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20341.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20341.exe
        7⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16222.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16222.exe
        7⤵
        
        PID:12360
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55520.exe
        6⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52037.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52037.exe
        6⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52573.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52573.exe
        7⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16601.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16601.exe
        8⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33185.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33185.exe
        8⤵
        
        PID:15184
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51758.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51758.exe
        6⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8660 -s 636
        7⤵
        
        PID:14564
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14390.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14390.exe
        6⤵
        
        PID:10076
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16023.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16023.exe
        6⤵
        
        PID:12420
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6140.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6140.exe
        6⤵
        
        PID:14344
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35701.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35701.exe
        5⤵
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20347.exe
        6⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25111.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25111.exe
        7⤵
        
        PID:6260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 716
        6⤵
        
        PID:14264
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40667.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40667.exe
        5⤵
        
        PID:6072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13299.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13299.exe
        6⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 632
        7⤵
        Program crash
        
        PID:12028
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45650.exe
        5⤵
        
        PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8090.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8090.exe
        5⤵
        
        PID:8504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8504 -s 636
        6⤵
        Program crash
        
        PID:12056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 756
        5⤵
        Program crash
        
        PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58322.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58322.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4804.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4804.exe
        5⤵
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31613.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31613.exe
        6⤵
        
        PID:32
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43153.exe
        6⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 632
        7⤵
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30996.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30996.exe
        6⤵
        
        PID:12652
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54612.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54612.exe
        6⤵
        
        PID:14104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12899.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12899.exe
        5⤵
        
        PID:5180
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46491.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46491.exe
        6⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 636
        7⤵
        Program crash
        
        PID:7980
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41224.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41224.exe
        6⤵
        
        PID:12412
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-5610.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5610.exe
        6⤵
        
        PID:14396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29906.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29906.exe
        5⤵
        
        PID:10460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8919.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8919.exe
        5⤵
        
        PID:15032
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64019.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64019.exe
      4⤵
      PID:532
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45209.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45209.exe
        5⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39501.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39501.exe
        6⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30207.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30207.exe
        7⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13170.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13170.exe
        8⤵
        
        PID:15648
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48110.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48110.exe
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41105.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41105.exe
        7⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 632
        7⤵
        
        PID:5592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 752
        6⤵
        Program crash
        
        PID:13332
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33808.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33808.exe
      4⤵
      PID:5780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 720
        5⤵
        Program crash
        
        PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36932.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36932.exe
      4⤵
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32065.exe
        5⤵
        
        PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7591.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7591.exe
        5⤵
        
        PID:13440
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-18798.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-18798.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12650.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12650.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 636
        5⤵
        Program crash
        
        PID:4328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 648
        5⤵
        Program crash
        
        PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44062.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44062.exe
      4⤵
      PID:968
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34903.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34903.exe
        5⤵
        
        PID:6080
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63958.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63958.exe
        5⤵
        
        PID:7264
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19163.exe
        5⤵
        
        PID:10092
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3778.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3778.exe
        5⤵
        
        PID:12520
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33972.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33972.exe
      4⤵
      PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49682.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49682.exe
      4⤵
      PID:7352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60710.exe
        5⤵
        
        PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57611.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57611.exe
        5⤵
        
        PID:13872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 756
      4⤵
      Program crash
      PID:11180
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39028.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39028.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59459.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59459.exe
      4⤵
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46797.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46797.exe
        5⤵
        
        PID:6056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 636
        6⤵
        Program crash
        
        PID:7900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 708
        6⤵
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26049.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26049.exe
        5⤵
        
        PID:7036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 764
        5⤵
        Program crash
        
        PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9033.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-9033.exe
      4⤵
      PID:6128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 648
        5⤵
        Program crash
        
        PID:6204
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14461.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14461.exe
      4⤵
      PID:12632
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54997.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54997.exe
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10398.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10398.exe
      4⤵
      PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33039.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33039.exe
      4⤵
      PID:7356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 636
        5⤵
        Program crash
        
        PID:11116
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22348.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22348.exe
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 636
        5⤵
        
        PID:14280
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22636.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22636.exe
      4⤵
      PID:12816
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30491.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30491.exe
      4⤵
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39333.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39333.exe
    3⤵
    PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47233.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-47233.exe
      4⤵
      PID:8176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 540
        5⤵
        Program crash
        
        PID:11988
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43013.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43013.exe
      4⤵
      PID:8944
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45163.exe
        5⤵
        
        PID:12944
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46905.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46905.exe
      4⤵
      PID:11308
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58048.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58048.exe
      4⤵
      PID:13840
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-55745.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-55745.exe
    3⤵
    PID:6304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 664
      4⤵
      PID:13252
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-4744.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-4744.exe
    3⤵
    PID:8720
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2568.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2568.exe
      4⤵
      PID:13084
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53170.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53170.exe
      4⤵
      PID:15872
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-32159.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-32159.exe
    3⤵
    PID:11064
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-605.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-605.exe
    3⤵
    PID:14460
- C:\Users\Admin\AppData\Local\Temp\Unicorn-6651.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-6651.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2972.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2972.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33289.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33289.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48639.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48639.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52277.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52277.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37669.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37669.exe
        7⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27803.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27803.exe
        7⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 632
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 632
        8⤵
        
        PID:9636
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28685.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28685.exe
        6⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31011.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31011.exe
        7⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51374.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51374.exe
        8⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2288.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2288.exe
        9⤵
        
        PID:15356
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61295.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61295.exe
        8⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26974.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26974.exe
        8⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 744
        7⤵
        Program crash
        
        PID:10600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17096.exe
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17768.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17768.exe
        6⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50119.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50119.exe
        7⤵
        
        PID:15736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40315.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40315.exe
        7⤵
        
        PID:16208
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12193.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12193.exe
        6⤵
        
        PID:11320
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23270.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23270.exe
        6⤵
        
        PID:14412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40579.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35723.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35723.exe
        6⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 636
        7⤵
        Program crash
        
        PID:7744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 636
        7⤵
        
        PID:14420
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-1161.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1161.exe
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27034.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27034.exe
        6⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 636
        7⤵
        
        PID:13916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 656
        6⤵
        Program crash
        
        PID:11584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48643.exe
        5⤵
        
        PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28429.exe
        5⤵
        
        PID:8
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1740.exe
        5⤵
        
        PID:14400
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32857.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32857.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9298.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9298.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29693.exe
        6⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2360.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2360.exe
        7⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 632
        8⤵
        Program crash
        
        PID:11108
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57264.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57264.exe
        7⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 632
        8⤵
        Program crash
        
        PID:12020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 652
        7⤵
        Program crash
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9329.exe
        6⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38375.exe
        7⤵
        
        PID:7164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 752
        6⤵
        Program crash
        
        PID:7176
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32769.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32769.exe
        5⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59407.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59407.exe
        6⤵
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39261.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39261.exe
        6⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48297.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48297.exe
        7⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8196 -s 636
        8⤵
        
        PID:14304
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63896.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63896.exe
        7⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 648
        7⤵
        
        PID:15760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30132.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30132.exe
        6⤵
        
        PID:8796
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28894.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28894.exe
        6⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34093.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34093.exe
        7⤵
        
        PID:7092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 756
        6⤵
        
        PID:14248
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50231.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50231.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25033.exe
        5⤵
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23253.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23253.exe
        6⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-606.exe
        7⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8343.exe
        6⤵
        
        PID:7420
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57159.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57159.exe
        6⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2210.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2210.exe
        7⤵
        
        PID:4992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 768
        6⤵
        
        PID:14324
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61908.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61908.exe
        5⤵
        
        PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63303.exe
        5⤵
        
        PID:7292
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35998.exe
        5⤵
        
        PID:8936
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19097.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19097.exe
        6⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59123.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59123.exe
        5⤵
        
        PID:9492
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64483.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64483.exe
        6⤵
        
        PID:15552
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65224.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65224.exe
        5⤵
        
        PID:12336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 744
        5⤵
        
        PID:16232
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45956.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-45956.exe
      4⤵
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17991.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17991.exe
        5⤵
        
        PID:5884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11322.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11322.exe
        6⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6257.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6257.exe
        7⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27753.exe
        8⤵
        
        PID:13844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65379.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65379.exe
        7⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35142.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35142.exe
        7⤵
        
        PID:13460
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44280.exe
        6⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42459.exe
        7⤵
        
        PID:8732
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18163.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18163.exe
        8⤵
        
        PID:12176
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30855.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30855.exe
        8⤵
        
        PID:14604
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57866.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57866.exe
        7⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 628
        7⤵
        
        PID:11108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24460.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24460.exe
        6⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 652
        7⤵
        
        PID:15992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46740.exe
        6⤵
        
        PID:11392
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22740.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22740.exe
        6⤵
        
        PID:14448
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12261.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12261.exe
        5⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17763.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17763.exe
        6⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 636
        7⤵
        
        PID:14288
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39391.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39391.exe
        6⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39443.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39443.exe
        6⤵
        
        PID:12440
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14275.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14275.exe
        6⤵
        
        PID:14200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56417.exe
        5⤵
        
        PID:7800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 636
        6⤵
        Program crash
        
        PID:12188
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26626.exe
        5⤵
        
        PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38074.exe
        5⤵
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1773.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1773.exe
        5⤵
        
        PID:7900
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14296.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14296.exe
      4⤵
      PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2967.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2967.exe
        5⤵
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24961.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24961.exe
        6⤵
        
        PID:5692
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-12381.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12381.exe
        6⤵
        
        PID:14700
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30760.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30760.exe
        5⤵
        
        PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62351.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62351.exe
        5⤵
        
        PID:14072
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30703.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30703.exe
      4⤵
      PID:7244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7244 -s 636
        5⤵
        Program crash
        
        PID:11972
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18298.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18298.exe
      4⤵
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62563.exe
        5⤵
        
        PID:9584
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64137.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64137.exe
      4⤵
      PID:11252
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-489.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-489.exe
      4⤵
      PID:14736
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-37927.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-37927.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3522.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3522.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29719.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29719.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54389.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54389.exe
        6⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12152.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12152.exe
        7⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49568.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49568.exe
        7⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38375.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38375.exe
        8⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39621.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39621.exe
        9⤵
        
        PID:15396
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23149.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23149.exe
        9⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7382.exe
        7⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8432.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8432.exe
        8⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39185.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39185.exe
        9⤵
        
        PID:15828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-513.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-513.exe
        8⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 684
        7⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46688.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46688.exe
        6⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-58015.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58015.exe
        6⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7728 -s 636
        7⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30326.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30326.exe
        6⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20176.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20176.exe
        6⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58043.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58043.exe
        7⤵
        
        PID:16196
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9941.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9941.exe
        6⤵
        
        PID:13448
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-20670.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20670.exe
        6⤵
        
        PID:16320
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9827.exe
        5⤵
        
        PID:5072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 656
        6⤵
        
        PID:13608
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13563.exe
        5⤵
        
        PID:10252
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41350.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41350.exe
        5⤵
        
        PID:15352
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26189.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26189.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3720
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5188.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5188.exe
        5⤵
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-14482.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14482.exe
        6⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47669.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47669.exe
        7⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 644
        8⤵
        Program crash
        
        PID:6268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 668
        7⤵
        Program crash
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25447.exe
        6⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27301.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27301.exe
        7⤵
        
        PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3142.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3142.exe
      4⤵
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7684.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7684.exe
        5⤵
        
        PID:5916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 712
        6⤵
        Program crash
        
        PID:9584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6012.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6012.exe
        5⤵
        
        PID:7916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 648
        5⤵
        
        PID:14316
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4487.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-4487.exe
      4⤵
      PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1233.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1233.exe
      4⤵
      PID:9224
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3794.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3794.exe
      4⤵
      PID:9972
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-39813.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39813.exe
        5⤵
        
        PID:15460
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2153.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2153.exe
        5⤵
        
        PID:16324
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62845.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62845.exe
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28694.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28694.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35749.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35749.exe
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52059.exe
        5⤵
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46278.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46278.exe
        5⤵
        
        PID:7152
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51244.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51244.exe
      4⤵
      PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60423.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60423.exe
      4⤵
      PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12733.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12733.exe
      4⤵
      PID:5824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 656
        5⤵
        Program crash
        
        PID:11188
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23798.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23798.exe
      4⤵
      PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21539.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21539.exe
      4⤵
      PID:7912
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27007.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27007.exe
      4⤵
      PID:13324
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-23232.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-23232.exe
    3⤵
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35723.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35723.exe
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 640
        5⤵
        Program crash
        
        PID:7404
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40055.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40055.exe
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 636
        5⤵
        Program crash
        
        PID:3164
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-37674.exe
    3⤵
    PID:5224
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10590.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10590.exe
      4⤵
      PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65109.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-65109.exe
      4⤵
      PID:8824
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32350.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32350.exe
      4⤵
      PID:8144
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18656.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18656.exe
      4⤵
      PID:14536
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-65442.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-65442.exe
      4⤵
      PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63011.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63011.exe
      4⤵
      PID:16340
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61508.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61508.exe
    3⤵
    PID:6404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 624
      4⤵
      Program crash
      PID:9632
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-27302.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-27302.exe
    3⤵
    PID:8252
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-11739.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-11739.exe
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-61710.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-61710.exe
    3⤵
    PID:13720
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24943.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24943.exe
    3⤵
    PID:15076
- C:\Users\Admin\AppData\Local\Temp\Unicorn-9094.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-9094.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-31151.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-31151.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12650.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12650.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 636
        5⤵
        Program crash
        
        PID:5672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 660
        5⤵
        Program crash
        
        PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50284.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50284.exe
      4⤵
      PID:932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 636
        5⤵
        Program crash
        
        PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27942.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27942.exe
      4⤵
      PID:5744
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-39847.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-39847.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26787.exe
      4⤵
      PID:1948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 632
        5⤵
        Program crash
        
        PID:5616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 744
      4⤵
      Program crash
      PID:5784
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-64211.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-64211.exe
    3⤵
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62147.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62147.exe
      4⤵
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45147.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45147.exe
        5⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40067.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40067.exe
        6⤵
        
        PID:9992
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34129.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34129.exe
        6⤵
        
        PID:11368
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61348.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61348.exe
        5⤵
        
        PID:8052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 720
        6⤵
        
        PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17792.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17792.exe
        5⤵
        
        PID:9220
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35604.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35604.exe
        5⤵
        
        PID:11572
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53467.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53467.exe
        5⤵
        
        PID:14636
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35308.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35308.exe
      4⤵
      PID:10100
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34935.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34935.exe
        5⤵
        
        PID:14584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 508
      4⤵
      PID:14256
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-63034.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-63034.exe
    3⤵
    PID:5904
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-45773.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-45773.exe
    3⤵
    PID:8476
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55879.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55879.exe
      4⤵
      PID:12380
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60212.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60212.exe
      4⤵
      PID:5392
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59025.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59025.exe
    3⤵
    PID:7748
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-5824.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-5824.exe
    3⤵
    PID:14436
- C:\Users\Admin\AppData\Local\Temp\Unicorn-24664.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-24664.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-6620.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-6620.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33393.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33393.exe
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 636
        5⤵
        Program crash
        
        PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24321.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24321.exe
      4⤵
      PID:6172
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-1083.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-1083.exe
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 644
      4⤵
      Program crash
      PID:4328
- C:\Users\Admin\AppData\Local\Temp\Unicorn-3720.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-3720.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-6942.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-6942.exe
    3⤵
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38219.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38219.exe
      4⤵
      PID:5392
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21027.exe
        5⤵
        
        PID:988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 640
        6⤵
        Program crash
        
        PID:11232
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8343.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-8343.exe
      4⤵
      PID:7428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59563.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59563.exe
        5⤵
        
        PID:9480
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-47560.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47560.exe
        5⤵
        
        PID:10452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 752
      4⤵
      Program crash
      PID:11448
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54316.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54316.exe
    3⤵
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38773.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38773.exe
    3⤵
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64571.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64571.exe
      4⤵
      PID:9980
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60425.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60425.exe
        5⤵
        
        PID:15416
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50238.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50238.exe
        5⤵
        
        PID:7632
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59059.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59059.exe
        5⤵
        
        PID:15496
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40351.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40351.exe
      4⤵
      PID:11352
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29276.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29276.exe
      4⤵
      PID:8844
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25858.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25858.exe
    3⤵
    PID:8736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8736 -s 636
      4⤵
      PID:16000
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-38074.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-38074.exe
    3⤵
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-10289.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-10289.exe
    3⤵
    PID:13876
- C:\Users\Admin\AppData\Local\Temp\Unicorn-34569.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-34569.exe
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-8260.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-8260.exe
    3⤵
    PID:5220
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-3874.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-3874.exe
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61717.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-61717.exe
      4⤵
      PID:11304
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-26579.exe
      4⤵
      PID:14996
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-59585.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-59585.exe
    3⤵
    PID:13036
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24845.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24845.exe
    3⤵
    PID:15280
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-32539.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-32539.exe
    3⤵
    PID:7188
- C:\Users\Admin\AppData\Local\Temp\Unicorn-54261.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-54261.exe
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\Unicorn-34214.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-34214.exe
  2⤵
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\Unicorn-60862.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-60862.exe
  2⤵
  PID:8552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8552 -s 636
    3⤵
    PID:15528
- C:\Users\Admin\AppData\Local\Temp\Unicorn-1549.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-1549.exe
  2⤵
  PID:10948
- C:\Users\Admin\AppData\Local\Temp\Unicorn-33974.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-33974.exe
  2⤵
  PID:12972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2276 -ip 2276
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4836 -ip 4836
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1948 -ip 1948
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2276 -ip 2276
1⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4836 -ip 4836
1⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 860 -ip 860
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2680 -ip 2680
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 932 -ip 932
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1396 -ip 1396
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5264 -ip 5264
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5124 -ip 5124
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 932 -ip 932
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1948 -ip 1948
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2364 -ip 2364
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5264 -ip 5264
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2044 -ip 2044
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5124 -ip 5124
1⤵
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3720 -ip 3720
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2364 -ip 2364
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3720 -ip 3720
1⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2044 -ip 2044
1⤵
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4456 -ip 4456
1⤵
PID:6844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6128 -ip 6128
1⤵
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1988 -ip 1988
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3628 -ip 3628
1⤵
PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5420 -ip 5420
1⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5840 -ip 5840
1⤵
PID:7556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6108 -ip 6108
1⤵
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1824 -ip 1824
1⤵
PID:7632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5236 -ip 5236
1⤵
PID:7756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5608 -ip 5608
1⤵
PID:7840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1020 -ip 1020
1⤵
PID:7872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 5300 -ip 5300
1⤵
PID:7928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3708 -ip 3708
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3144 -ip 3144
1⤵
PID:7952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4224 -ip 4224
1⤵
PID:8064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3096 -ip 3096
1⤵
PID:8116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 5420 -ip 5420
1⤵
PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 5332 -ip 5332
1⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5744 -ip 5744
1⤵
PID:7848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 6156 -ip 6156
1⤵
PID:8068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1040 -p 6172 -ip 6172
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 6276 -ip 6276
1⤵
PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 5904 -ip 5904
1⤵
PID:7832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5608 -ip 5608
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1824 -ip 1824
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5300 -ip 5300
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 6016 -ip 6016
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 4224 -ip 4224
1⤵
PID:7760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2688 -ip 2688
1⤵
PID:8312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1092 -p 5744 -ip 5744
1⤵
PID:8568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1088 -p 6172 -ip 6172
1⤵
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1096 -p 6276 -ip 6276
1⤵
PID:9120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 5904 -ip 5904
1⤵
PID:9192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 5916 -ip 5916
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5184 -ip 5184
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 6080 -ip 6080
1⤵
PID:8484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2476 -ip 2476
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 2488 -ip 2488
1⤵
PID:7032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2060 -ip 2060
1⤵
PID:7832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 5220 -ip 5220
1⤵
PID:8512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5436 -ip 5436
1⤵
PID:8720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5272 -ip 5272
1⤵
PID:8684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 2020 -ip 2020
1⤵
PID:7388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5864 -ip 5864
1⤵
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1080 -p 3600 -ip 3600
1⤵
PID:8708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2136 -ip 2136
1⤵
PID:8804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 4824 -ip 4824
1⤵
PID:8908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 5192 -ip 5192
1⤵
PID:8436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 32 -ip 32
1⤵
PID:9032

C:\Users\Admin\AppData\Local\Temp\Unicorn-38183.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-38183.exe
1⤵
PID:5932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 636
  2⤵
  PID:14064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1068 -p 3236 -ip 3236
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\Unicorn-42075.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-42075.exe
1⤵
PID:7964
- C:\Users\Admin\AppData\Local\Temp\Unicorn-36995.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-36995.exe
  2⤵
  PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1096 -p 5392 -ip 5392
1⤵
PID:7564

C:\Users\Admin\AppData\Local\Temp\Unicorn-50819.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-50819.exe
1⤵
PID:2176
- C:\Users\Admin\AppData\Local\Temp\Unicorn-10456.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-10456.exe
  2⤵
  PID:14384

C:\Users\Admin\AppData\Local\Temp\Unicorn-1618.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-1618.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\Unicorn-63663.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-63663.exe
  2⤵
  PID:9804

C:\Users\Admin\AppData\Local\Temp\Unicorn-56849.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-56849.exe
1⤵
PID:8668
- C:\Users\Admin\AppData\Local\Temp\Unicorn-55687.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-55687.exe
  2⤵
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Unicorn-129.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-129.exe
  2⤵
  PID:14616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6404 -ip 6404
1⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\Unicorn-13870.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-13870.exe
1⤵
PID:8972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2688 -ip 2688
1⤵
PID:6436

C:\Users\Admin\AppData\Local\Temp\Unicorn-52765.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-52765.exe
1⤵
PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3864 -ip 3864
1⤵
PID:9556

C:\Users\Admin\AppData\Local\Temp\Unicorn-2962.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-2962.exe
1⤵
PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 5916 -ip 5916
1⤵
PID:9896

C:\Users\Admin\AppData\Local\Temp\Unicorn-9340.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-9340.exe
1⤵
PID:10004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1064 -p 6080 -ip 6080
1⤵
PID:10092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 5184 -ip 5184
1⤵
PID:10160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1140 -p 2060 -ip 2060
1⤵
PID:9660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1188 -p 5220 -ip 5220
1⤵
PID:9764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1064 -p 5436 -ip 5436
1⤵
PID:9796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 5272 -ip 5272
1⤵
PID:9968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1128 -p 6028 -ip 6028
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5864 -ip 5864
1⤵
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 2020 -ip 2020
1⤵
PID:9124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 636
1⤵
- Program crash
PID:10616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7292 -ip 7292
1⤵
PID:10632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 6988 -ip 6988
1⤵
PID:10836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2136 -ip 2136
1⤵
PID:11028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 648
1⤵
- Program crash
PID:11196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6536 -ip 6536
1⤵
PID:11216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 724
1⤵
- Program crash
PID:11240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 5616 -ip 5616
1⤵
PID:11248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 7056 -ip 7056
1⤵
PID:9708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1208 -p 6260 -ip 6260
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5192 -ip 5192
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 636
1⤵
- Program crash
PID:2140

C:\Users\Admin\AppData\Local\Temp\Unicorn-6958.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-6958.exe
1⤵
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7132 -ip 7132
1⤵
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 32 -ip 32
1⤵
PID:10360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4824 -ip 4824
1⤵
PID:9720

C:\Users\Admin\AppData\Local\Temp\Unicorn-2080.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-2080.exe
1⤵
PID:7144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3600 -ip 3600
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 6448 -ip 6448
1⤵
PID:8728

C:\Users\Admin\AppData\Local\Temp\Unicorn-6164.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-6164.exe
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5928 -ip 5928
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1192 -p 6228 -ip 6228
1⤵
PID:10440

C:\Users\Admin\AppData\Local\Temp\Unicorn-12749.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-12749.exe
1⤵
PID:10520
- C:\Users\Admin\AppData\Local\Temp\Unicorn-56891.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-56891.exe
  2⤵
  PID:14184
- C:\Users\Admin\AppData\Local\Temp\Unicorn-38525.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-38525.exe
  2⤵
  PID:15436

C:\Users\Admin\AppData\Local\Temp\Unicorn-2443.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-2443.exe
1⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\Unicorn-4581.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-4581.exe
1⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\Unicorn-1888.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-1888.exe
1⤵
PID:10360

C:\Users\Admin\AppData\Local\Temp\Unicorn-39967.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-39967.exe
1⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\Unicorn-12194.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-12194.exe
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5720 -ip 5720
1⤵
PID:11380

C:\Users\Admin\AppData\Local\Temp\Unicorn-46922.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-46922.exe
1⤵
PID:11500

C:\Users\Admin\AppData\Local\Temp\Unicorn-29085.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-29085.exe
1⤵
PID:11544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 7036 -ip 7036
1⤵
PID:11692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 5856 -ip 5856
1⤵
PID:11940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7796 -s 636
1⤵
- Program crash
PID:11980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 636
1⤵
- Program crash
PID:11996

C:\Users\Admin\AppData\Local\Temp\Unicorn-51644.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-51644.exe
1⤵
PID:12080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6124 -ip 6124
1⤵
PID:12104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 464 -ip 464
1⤵
PID:12152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5304 -ip 5304
1⤵
PID:12212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5364 -ip 5364
1⤵
PID:12220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 5404 -ip 5404
1⤵
PID:10192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1068 -p 6000 -ip 6000
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1304 -p 5892 -ip 5892
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1192 -p 6848 -ip 6848
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 6284 -ip 6284
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 7152 -ip 7152
1⤵
PID:10636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7044 -ip 7044
1⤵
PID:11276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 5392 -ip 5392
1⤵
PID:11328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1200 -p 7180 -ip 7180
1⤵
PID:11348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1312 -p 2272 -ip 2272
1⤵
PID:11508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4840 -ip 4840
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1100 -p 6128 -ip 6128
1⤵
PID:12092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 5356 -ip 5356
1⤵
PID:11828

C:\Users\Admin\AppData\Local\Temp\Unicorn-22247.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-22247.exe
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 7420 -ip 7420
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1224 -p 6940 -ip 6940
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1324 -p 7020 -ip 7020
1⤵
PID:11724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6700 -ip 6700
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1308 -p 7356 -ip 7356
1⤵
PID:12156

C:\Users\Admin\AppData\Local\Temp\Unicorn-49465.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-49465.exe
1⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\Unicorn-51603.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-51603.exe
1⤵
PID:10192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1340 -p 6736 -ip 6736
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 7256 -ip 7256
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 5752 -ip 5752
1⤵
PID:11408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7100 -ip 7100
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\Unicorn-14462.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-14462.exe
1⤵
PID:9204

C:\Users\Admin\AppData\Local\Temp\Unicorn-47327.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-47327.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\Unicorn-40939.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-40939.exe
  2⤵
  PID:15748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 628
1⤵
- Program crash
PID:12092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5824 -ip 5824
1⤵
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 988 -ip 988
1⤵
PID:9048

C:\Users\Admin\AppData\Local\Temp\Unicorn-648.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-648.exe
1⤵
PID:12292
- C:\Users\Admin\AppData\Local\Temp\Unicorn-17805.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-17805.exe
  2⤵
  PID:15948

C:\Users\Admin\AppData\Local\Temp\Unicorn-35459.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-35459.exe
1⤵
PID:12392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 632
1⤵
- Program crash
PID:12480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1312 -p 4056 -ip 4056
1⤵
PID:12592

C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
1⤵
PID:12704

C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
1⤵
PID:12720

C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-20061.exe
1⤵
PID:12712

C:\Users\Admin\AppData\Local\Temp\Unicorn-48650.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-48650.exe
1⤵
PID:12784

C:\Users\Admin\AppData\Local\Temp\Unicorn-11701.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-11701.exe
1⤵
PID:12808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 6148 -ip 6148
1⤵
PID:12876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1040 -p 1572 -ip 1572
1⤵
PID:13080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6888 -ip 6888
1⤵
PID:13156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3144 -ip 3144
1⤵
PID:13284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 1988 -ip 1988
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1360 -p 6092 -ip 6092
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1372 -p 1868 -ip 1868
1⤵
PID:12244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5132 -ip 5132
1⤵
PID:12212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1068 -p 5860 -ip 5860
1⤵
PID:11348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 656
1⤵
PID:12880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 652
1⤵
PID:13200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9036 -s 636
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 656
1⤵
PID:11724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 648
1⤵
PID:13160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 716
1⤵
PID:12152

C:\Users\Admin\AppData\Local\Temp\Unicorn-14820.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-14820.exe
1⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\Unicorn-60492.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-60492.exe
1⤵
PID:12648

C:\Users\Admin\AppData\Local\Temp\Unicorn-22989.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-22989.exe
1⤵
PID:12732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 736
1⤵
PID:13260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1296 -p 2352 -ip 2352
1⤵
PID:13320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 752
1⤵
- Program crash
PID:13348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 616
1⤵
- Program crash
PID:13384

C:\Users\Admin\AppData\Local\Temp\Unicorn-6029.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-6029.exe
1⤵
PID:13468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1368 -p 208 -ip 208
1⤵
PID:13492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1220 -p 7244 -ip 7244
1⤵
PID:13640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8396 -s 632
1⤵
PID:14056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 404 -ip 404
1⤵
PID:14100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1076 -p 7004 -ip 7004
1⤵
PID:14108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 5640 -ip 5640
1⤵
PID:14184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 636
1⤵
PID:14272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 636
1⤵
PID:14296

C:\Users\Admin\AppData\Local\Temp\Unicorn-41629.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-41629.exe
1⤵
PID:12528

C:\Users\Admin\AppData\Local\Temp\Unicorn-43667.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-43667.exe
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 652
1⤵
PID:12300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8612 -s 660
1⤵
PID:11348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8088 -s 632
1⤵
PID:6312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 636
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 660
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2616 -ip 2616
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\Unicorn-15541.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-15541.exe
1⤵
PID:6552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5700 -ip 5700
1⤵
PID:13868

C:\Users\Admin\AppData\Local\Temp\Unicorn-21108.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-21108.exe
1⤵
PID:6864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1336 -p 8504 -ip 8504
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 6828 -ip 6828
1⤵
PID:7176

C:\Users\Admin\AppData\Local\Temp\Unicorn-52183.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-52183.exe
1⤵
PID:13980

C:\Users\Admin\AppData\Local\Temp\Unicorn-21456.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-21456.exe
1⤵
PID:12112

C:\Users\Admin\AppData\Local\Temp\Unicorn-29624.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-29624.exe
1⤵
PID:14424

C:\Users\Admin\AppData\Local\Temp\Unicorn-52183.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-52183.exe
1⤵
PID:14520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7876 -ip 7876
1⤵
PID:14676

C:\Users\Admin\AppData\Local\Temp\Unicorn-26771.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-26771.exe
1⤵
PID:14720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 6244 -ip 6244
1⤵
PID:14820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 6840 -ip 6840
1⤵
PID:14828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3708 -ip 3708
1⤵
PID:14940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6056 -ip 6056
1⤵
PID:15052

C:\Users\Admin\AppData\Local\Temp\Unicorn-41545.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-41545.exe
1⤵
PID:15148

C:\Users\Admin\AppData\Local\Temp\Unicorn-55744.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-55744.exe
1⤵
PID:15212

C:\Users\Admin\AppData\Local\Temp\Unicorn-25017.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-25017.exe
1⤵
PID:15224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7800 -ip 7800
1⤵
PID:13928

C:\Users\Admin\AppData\Local\Temp\Unicorn-8410.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-8410.exe
1⤵
PID:13284

C:\Users\Admin\AppData\Local\Temp\Unicorn-30776.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-30776.exe
1⤵
PID:14692

C:\Users\Admin\AppData\Local\Temp\Unicorn-49827.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-49827.exe
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1336 -p 7752 -ip 7752
1⤵
PID:14584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9068 -s 632
1⤵
PID:15028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8200 -s 632
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1372 -p 7468 -ip 7468
1⤵
PID:9244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1156 -p 6440 -ip 6440
1⤵
PID:14916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 1136 -ip 1136
1⤵
PID:14988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1304 -p 6680 -ip 6680
1⤵
PID:15144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 7500 -ip 7500
1⤵
PID:6580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 7072 -ip 7072
1⤵
PID:14556

C:\Users\Admin\AppData\Local\Temp\Unicorn-29699.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-29699.exe
1⤵
PID:15428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1056 -p 7300 -ip 7300
1⤵
PID:15484

C:\Users\Admin\AppData\Local\Temp\Unicorn-13362.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-13362.exe
1⤵
PID:15536

C:\Users\Admin\AppData\Local\Temp\Unicorn-64509.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-64509.exe
1⤵
PID:15556

C:\Users\Admin\AppData\Local\Temp\Unicorn-37675.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-37675.exe
1⤵
PID:15580

C:\Users\Admin\AppData\Local\Temp\Unicorn-31645.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-31645.exe
1⤵
PID:15676

C:\Users\Admin\AppData\Local\Temp\Unicorn-24607.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-24607.exe
1⤵
PID:15752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6772 -ip 6772
1⤵
PID:15776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1316 -p 6168 -ip 6168
1⤵
PID:15784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9392 -s 640
1⤵
PID:16008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3920 -ip 3920
1⤵
PID:16028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1392 -p 428 -ip 428
1⤵
PID:16172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1372 -p 7084 -ip 7084
1⤵
PID:16228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4980 -ip 4980
1⤵
PID:16236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1320 -p 8024 -ip 8024
1⤵
PID:16260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 8052 -ip 8052
1⤵
PID:16268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1156 -p 7116 -ip 7116
1⤵
PID:16276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1388 -p 8452 -ip 8452
1⤵
PID:16340

C:\Users\Admin\AppData\Local\Temp\Unicorn-49325.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-49325.exe
1⤵
PID:15296

C:\Users\Admin\AppData\Local\Temp\Unicorn-10238.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-10238.exe
1⤵
PID:15052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 7976 -ip 7976
1⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\Unicorn-7114.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-7114.exe
1⤵
PID:15144

C:\Users\Admin\AppData\Local\Temp\Unicorn-60399.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-60399.exe
1⤵
PID:8324

C:\Users\Admin\AppData\Local\Temp\Unicorn-29673.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-29673.exe
1⤵
PID:15624

C:\Users\Admin\AppData\Local\Temp\Unicorn-22875.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-22875.exe
1⤵
PID:10648

C:\Users\Admin\AppData\Local\Temp\Unicorn-23451.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-23451.exe
1⤵
PID:15592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1108 -p 6956 -ip 6956
1⤵
PID:15700

C:\Users\Admin\AppData\Local\Temp\Unicorn-58645.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-58645.exe
1⤵
PID:15204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9120 -s 668
1⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\Unicorn-50477.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-50477.exe
1⤵
PID:15156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8200 -s 632
1⤵
PID:15412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1480 -p 9924 -ip 9924
1⤵
PID:7148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1532 -p 11040 -ip 11040
1⤵
PID:16328

C:\Users\Admin\AppData\Local\Temp\Unicorn-60456.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-60456.exe
1⤵
PID:16356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-10180.exe

Filesize
468KB

MD5
a7383286747f892d791195e1897ab5f5

SHA1
c962566339657351d8a8e555b6ceb76dbaa439c7

SHA256
7dbfa5ffc73902d27987bfdd147a9c2770a6c87bff957e039fe8f9e50cd46feb

SHA512
dcb45c4c96382fe1c0e94dc6d921344f2279fa9a97c87785eceb7116b19241c4ba690d0aaa4562b2e85e06237aa0ae45d654ec2cafa46ae5cc1658cbeefe5343

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-12074.exe

Filesize
468KB

MD5
ec44f9e1c021359d182649916e80fe07

SHA1
352fef2e91ff09146fcae6d894c09d0801fb2236

SHA256
7d9cac8ec82f030237d3aa7b2fccc09b55745080fc452528c42e77e8c39d58af

SHA512
ba7f49f26e985162beda22dea40cf2d1abd2d70589b2fb717673a4101cdc48baea868b7dad45249e92b6138533ab887b88e22cb40ad38c2591843dfae7aba40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-12650.exe

Filesize
468KB

MD5
795363947b82090ff9c81ceb4701e467

SHA1
1071620f3fe9cb57619eaa385e1c873a10b018e8

SHA256
b86c83970b69d6bda8334a4ced1584f28119e7afd7116bdfe1a143273470c906

SHA512
8b8b94bc5f7573b7893164b30faf674765e4a056a25d199a11fc34018fc5bea7ad6918cbd12a96b62395f26d24a63fda5433bcbe0ba22fe43de8e3b6f5d6d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-18798.exe

Filesize
468KB

MD5
b0d5022774001a712db27ac6010e8320

SHA1
2989e73db06a2f3180ba507c62252940f56ecdc7

SHA256
d7cf75fbc428fd6152096056c7ce991dbbe6aacc152af9976fe8d7a8f7f66c9d

SHA512
aa2ad88c94a70e9e3ae1eb2fa58924deef67744ab7cfc1504239361fc2d08e19f9eaee40cf543114ddabd733fe1a90bbef7c454f6fe10cf75e23562827c80a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-22783.exe

Filesize
468KB

MD5
39ad9bcd5444cdcf284c03e65272da1d

SHA1
aded9caa00b19cf590dd2b441e5fd6bdb8f4422b

SHA256
c86ff99cb4e19c1d1055be8c1ffe036d16f85208fbe759c958814cb39c9c5ba5

SHA512
bd9a529ddff5675237b2b1b7fb6516c57b44ad9b928fb7265ec8cb713049e99d542c039a7c0ba444ef6029fc579f16179baecfc3488aadaaacf8b769060c9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-23537.exe

Filesize
468KB

MD5
6c3cef9e10ba85647f30facf370b61a8

SHA1
1a06497e984159d4adf2f988a35cd1342eee349e

SHA256
f67b6f2cb95fcd828d7efa59a8e2c2a5b70c3687a5ded268ac4e761f514bd883

SHA512
db515554757825f422587c188e6dea03e3d4a7d0960353a4df3def7015cc9d197d9aaab876b8d7a1c7d0c3a39baf45cbfe2b4b63fc6a3103aa8c220a5a2bc68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-24664.exe

Filesize
468KB

MD5
d261b73f241958c6823f416dd3a89f40

SHA1
98ebbd923235773758a884f60b7d169571a79fe8

SHA256
1dbbddecdd7e778e270721961187fe59066a5ac914da93992af9f283bf5c814a

SHA512
bc9e74f63225dae28d557d1339f8ac09ae44453f1dc7cc4bc53b7e8d2e502afac965e8bf8e6863aa89a4fb36163bfd2989e1b9e9abacdf8c554361cf45a4c7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-27477.exe

Filesize
468KB

MD5
0dadde4626b64c63b10bd5fce218de07

SHA1
17dc1b8cf70c083789a0815f01b2aef7a9b454e7

SHA256
c8b9ec31916b760950dc82226ee266f026b03ea26264e0d093ec9ae6af03fa6f

SHA512
5d2cedfd5a4f2fc4fbb1e31f3b345074da62fb5e9a221e4c9fb34e7dde9763f12722173102261f40068ecf8450f7ac5ff95204364f07e86b168e810816f8a093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-28694.exe

Filesize
468KB

MD5
6a875c28b9f7916706adec3dbc22e715

SHA1
8abd060e0bf411270045daf4643d0da9c6d78519

SHA256
162ad2344216a8c74259482944864cedb87baaf826df36d879d2ae7a16102e62

SHA512
035aa9ce918c84053eb7fd9caa946b91f1f30cb5ab2a12ca1e3b655febf348c855747f3f3518486b5f6799e2d510af0c293705696cf15c0beb3badb58f6c9b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-29719.exe

Filesize
468KB

MD5
8f3d3dcba6c5ca7e5e514c664d3f5269

SHA1
2ea7bb13c41bbb44f7230632ac66ea02c7859217

SHA256
989069ce98766aa97eb27420f4299bb1041ee681c2238478185bf5ba4224298b

SHA512
ce45fec258684bdc847a0a4da9205c1e14d090843234d4bf638a113ae1c6da34b0de5e6ac7198c8439804e0215bb13362b558b7a7ae2200bf859d394234f2f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-2972.exe

Filesize
468KB

MD5
29d7a2d9e3c2cf1d0ad2034d8eaf7a0c

SHA1
eca8fd7c74a5a00fc3f35909db498f6cff21ff44

SHA256
169aff8fab8a54f2adb5ddabaaf652fe5d05f82ff3938d82d7ebcab2b4b31b26

SHA512
39cff2c79dab992a98c877e1be8148b15038bffc5d47ec6648efba596077fea1339b8c1bc3861372421a3ef3f7f4d5734cbae972ea7903ab5480ac95fcbc3f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-31151.exe

Filesize
468KB

MD5
8a3d98669a3d682306bf9177873a7112

SHA1
335326a902aeb9de0a615bc191a21137e4880204

SHA256
0eff60dd8a6d032c220711a5917cfe1fdfacb6941734b65283ecb297972aa981

SHA512
5806f1bf60c3ee9c9218f5cafe3654944e69e0b0d0720747a732075440ebc8a33d602d44194108eb20988604d42bdae283a17f00e29871373fc8ec5392b57aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-32857.exe

Filesize
468KB

MD5
226992c3feac6918bfc0bf6e6570fa8c

SHA1
f6d86e235ad3b668e2770170e72a209bc0ee0fff

SHA256
e19c59a85322fdc95aebda4fdb96f9a19d7d844fe657d21100bdb6fc62d56706

SHA512
c5b286ee59af371dcfcdebc050a7c983baedd6e895d3962afc48a6a6905bb0de5f67b28c05f93cd52ef3815d349ffc2569b1b7420f6d759dd70ed4c6b7704a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-33263.exe

Filesize
468KB

MD5
411bb8f08f05a7428b51412014eb42e0

SHA1
9a57c024ea16dee0e36cedf7a1517ce41a3217ab

SHA256
5f551bf3673346588f759d6c2881732ac69796888626d404368776ef53b9c695

SHA512
0332afa2e29f115a10f8013ad0436477cc7c44f44a683502aff67193d07028cf07cbaa5eec91743288929304e867549c58f0903914bc5ebad0da13915ca9d0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-33289.exe

Filesize
468KB

MD5
1a5e541f7e7989d384fe38ca4c72a77a

SHA1
a0ade72e94e6fe185be37f8fe77899710e30e4c0

SHA256
58fee0710c84a943a6050d3a5a5260c351e511a0f9a7cba92c0d5bde51d0d07b

SHA512
1a3886e64f284e9ac08051b2d584c2408821749bcedb0f23553fcae5fc7f38b466eff48870e9647bc31bff4ab9032e03b5040cc7e52e59319a347e23fed41274

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-3522.exe

Filesize
468KB

MD5
dc9ee87916a959e8b2a5b4b732a2d67e

SHA1
ca68cfa812c53517030e6f9a74a501631c90d207

SHA256
6077aae9d67e100362b1f73e5d9f4f451f83ec7471e3b6294c6a3d0af8159dca

SHA512
33793bf1fc124631c6dfd596ed3991845d1c6980ac47ec6cf6a8189fb3faf1d484bd3974fada0d7b90030739ab92304648e23fe177fe71b3ccd8ed7baa3074b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-35235.exe

Filesize
468KB

MD5
0267bfce742c4a5911563dec709662fe

SHA1
57e93d90cae4d36b7102544dd4d6d122b89bd7d1

SHA256
2555f79e53f2095d596cf84e499ceef95000ac2aa4ddfbc24281a6f9a7f9d668

SHA512
8cfd16230f437c6ee97a8e0f0c4b53c0c8b01342e0521b8bcd195507c466cb23102656e5eb847717639ae66bda09a550e76c85519265b9224d973eb7ecc1394d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-3720.exe

Filesize
468KB

MD5
aca05c4134d5e823c05ca65e617e0a64

SHA1
94611dfcc3de6eb7df21b6dd5582fe44d0f91b9e

SHA256
e0d75ee4ddc49e2bf188a34f8ce86e777f48909ae8c77c1d14abe46791dd243a

SHA512
b55a8d6b0c8cb0b9078d1fb91843ad5cf731098e2bcc4ff7054f5bc16da67f6c3c11820f58d6ad7bd6877de0b6d4e07cf47469b158e18075750efd66a6d3f864

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-37927.exe

Filesize
468KB

MD5
c9e675548ca8d601f543b0d9379f5918

SHA1
42aa38f6773e15118439f23ad99bb71a7312a60a

SHA256
8ddf56dfff515e339dc3371dfec6b09126913b3b9847bbe8f45862c0abc683fb

SHA512
dc70c0f25d39e13ac7aa7f9b796f0e05ad28d69b1c6d99c4194e8342e71c0483f324516338131ed288569deecb234fabbb49c01640e1be80b9f57d14709f39a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39028.exe

Filesize
468KB

MD5
ff8307881ce457c48c349977a040690c

SHA1
831264904db39244c01946f2a5003c06c1abaf95

SHA256
86c49de6315e7f318c692318e6943c088b0ac264a882c11cbdb44d8f157d96cc

SHA512
7f5541684f98bc77c8ca0f4fa566af5e837c19328ba03d4172839e55b82bd6b6900f523ae3f996bd37449a915be4ba3ef92c170131a7a88c8f10df53ad5bedd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-39847.exe

Filesize
468KB

MD5
a50f9816f5b73fd5ef2f4f0845602b81

SHA1
df83c0385e5f96b58de271edd6ff6510e29116cd

SHA256
608cbcd09195b8195e7beba4819aa1ddc67533537b0d6b6c625b649922def7da

SHA512
ff9c95369cba6290232afcbc6f3c740ae3c311c14993a3b00f7e4094628534f9c72f5c16b195d09eba6ce6fc17c3badb57e54ea7162cefde89d4ba29fec82165

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-41431.exe

Filesize
468KB

MD5
2211ea0deca4f1019a54a900274a05ed

SHA1
5ada2ae7cea0b3e9a9638e61fa2d9d60ba553446

SHA256
603574a75ccb47f5a0dfcf72d49142da1bc2546a2a1eeae63a559df109c0dc13

SHA512
f144b231e772ae8ea3ea5a125ce44c728d473f841ffaa07d5efdf41d61ac396eb7323942f4f527b97245ab59fc2552d696b43488156722d2ee7d7d1c022de24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-43403.exe

Filesize
468KB

MD5
973c7a8c7acdbeb321a60d94dd0cd88c

SHA1
cea6090b863b461b15febfb2f4fa4d1be01c08d4

SHA256
d5aa9a528437e521283fd3aeeaacf0d728706e0403f6e9f44e5da42f6e90029e

SHA512
82d7aaa06285656ceaa26429f0a26bb84fde8a98b97c783a30067ffb8cfe407b7fd7891484a0cfeb0efcec346d607936ad9fd033d0b469f378fd0bf5fa32f899

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-48639.exe

Filesize
468KB

MD5
f44e795487bbc7055911e9e8db0a62c6

SHA1
9626eb0fa222f1431028127fb3d80b8f824da6a3

SHA256
33b69c2740b3c9f9b6b1c9bf7880407093e2ca3572247753d5e05204b6297f69

SHA512
e20055417aca39dce37b70aaec5a947880c0b567fae69d3e7e4bd6094634e6f5fe0903686acbfedf383c4673514805e3c939b6644046594ae3075bd90664664a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-50590.exe

Filesize
468KB

MD5
b2a6cd2c16317477f7482a1fee3c4e20

SHA1
51804ce2395a5938821ab3129bb5c28c0848b311

SHA256
f587c5e445cb82beb3660ae048c8e1fbfb8986edef7883e20e4a29ad378cf836

SHA512
6761e76da842058c76e13ed9b1b238fcf9569489de22330e6c8684c11a9dac2ae1c8c78e149c6b16120d531c5a5bb2ea81144109e996fe6a0da0244fbedfde43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-52277.exe

Filesize
468KB

MD5
b7fce4aa16b9067d2880554a7b9d1317

SHA1
252240485acea5b45e5646303270f12c1600285b

SHA256
a78355200416cfc414655f90b3ed77fb11e6235f3232beddc862dec1f5ea8b32

SHA512
0ac51fe2e4baaa0726b8020b676793c705a960830e558f5a9084ff4a2b51e3ef330195b990f862ca4d1b3868809b087afc3fc327e7b57baa79ff81ff7daad383

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-57859.exe

Filesize
468KB

MD5
ce4b3e6f1092fabb49db606a95ef0103

SHA1
777b81faf0b2a16a4c33cc028c384398403e9a06

SHA256
26f4b02a57ad87032a6d2387ca8818fedc1e15e8cef15e9018c7fac31fee2372

SHA512
11179008207f396e24a46fd203f851057c1cc365df7c32242cf5f82b579e46e7763f25c440f0cba686349a53e8a772b9b32edfb169ac104d6cf2e85c48316d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-58322.exe

Filesize
468KB

MD5
184ce42856bbf5a01d6cd3796b04b3ad

SHA1
7794fbc551419d0429cd8c1d358f38bfb51fbfa7

SHA256
9eb38765ae5623bb920cad4c15d2e75febc594dc19a796387c7557db1d0e6bd5

SHA512
a827d55be60e2aacec8e73fb80950cb8cc15a82fb963a3aa82ac6b316f81d67b57f54670f906acab0b35167ca0ee81a48a2b14dd250d53fc0cd2dab36e724c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6620.exe

Filesize
468KB

MD5
229dfe0e11c5dfb272c9c7bcacc13090

SHA1
3a402faac69f58bab3789c4cf6ebfecf7a6336d7

SHA256
fb7ec1fea21da5c05b45bdb06ff37db20a2fa5377f4ea6b4f688c1a65d07ad75

SHA512
9aeea2a800875098634afccc44697171c27fb3ce3eb79273b250742550767cd653aae27e471e3698fecd1a4c76d05e5c5ab3a0443ac8849992cd5fd1ff00110c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6651.exe

Filesize
468KB

MD5
ddada24ec022ea7b260103ebb0f305e0

SHA1
286f87afa0267bde56edbd715827784196306527

SHA256
ac6e749a912349eebda5d894c65cb6723d4b8da58c76efa6e5890bded3b48049

SHA512
a99241690ace6f706e75f6abc242496b7aea3ae22add89358a7988df2d4ad560df51caa3d3e890a2deb9528589362c1c8e622abc3b2b901308281440f5c9563d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-9094.exe

Filesize
468KB

MD5
32ac8eaffc352ee22df46ca84d35b689

SHA1
efef89d4040f432668d5a3172ed4614774db6759

SHA256
277363769f4e0ea656970938b495fa4c19af9db9018f85f6bd67f0f9270001f9

SHA512
5ba671bb0a371970584bf4a077a396ee9bffcb9fe4066c5cfe67340feabfebe76a6346fa192046912cbdcddb80da90c768e434a950045ccfb051c63a1a3db14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-9298.exe

Filesize
468KB

MD5
191ceac8d9d022c94c78fc708c29bc0c

SHA1
16e4c0dca4b3302c0075d6322768a50eb09a9c2b

SHA256
bc807c9734bde94298461987bc6fed56a26f7622fa3c7fe662eb39f01c16a9c8

SHA512
9fca4345822e744834e96e31d82eaf9411450d9cc5c5d8f059662e978612ea9e16c215e97f1905f93b2d439678568f39d0549e97456a032599601d6f19089359

Download Submit
memory/3708-2298-0x00007FFCBF990000-0x00007FFCBFB85000-memory.dmp

Filesize
2.0MB

Download
memory/4396-2277-0x0000000076AB0000-0x0000000076B8C000-memory.dmp

Filesize
880KB

Download
memory/5284-2441-0x00007FFCBF990000-0x00007FFCBFB85000-memory.dmp

Filesize
2.0MB

Download