8173dd352fa77d27cae8a5f687c15d81fea3939ecddc790eb0f25958f9550f82

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f42efdd422c8b6146ffadbd4d788c0N.exe
Size

468KB
MD5

a0f42efdd422c8b6146ffadbd4d788c0
SHA1

23a7f44656cf7173eae43990086c49965e6b2d3e
SHA256

8173dd352fa77d27cae8a5f687c15d81fea3939ecddc790eb0f25958f9550f82
SHA512

6595646cd45e61ddb98470fa6ac7c4e0756bdc881fb22f5ced6539a830e3aa52aac514c38e07f839d4712d5ded98b236d491ae801c72a9135287cc1a8d488bf2
SSDEEP

3072:1G3HogISIE5TtbY2HncOcf8/vChaP0p2JVHeT1PMQ7NL67vgEElG:1G3obMTtxHcOcfSYHqQ7p4vgE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1904	Unicorn-55676.exe
2896	Unicorn-19086.exe
1808	Unicorn-51436.exe
2748	Unicorn-63107.exe
2428	Unicorn-1654.exe
2456	Unicorn-51410.exe
2768	Unicorn-61061.exe
2988	Unicorn-62360.exe
1664	Unicorn-22074.exe
1512	Unicorn-715.exe
580	Unicorn-43786.exe
792	Unicorn-58084.exe
1088	Unicorn-21062.exe
1016	Unicorn-1462.exe
968	Unicorn-41229.exe
1120	Unicorn-33423.exe
2504	Unicorn-21769.exe
2856	Unicorn-46200.exe
1360	Unicorn-2417.exe
1900	Unicorn-47150.exe
912	Unicorn-16515.exe
2212	Unicorn-33829.exe
940	Unicorn-45511.exe
1728	Unicorn-60563.exe
2412	Unicorn-55510.exe
2156	Unicorn-47897.exe
2424	Unicorn-21385.exe
708	Unicorn-31176.exe
1584	Unicorn-52386.exe
2076	Unicorn-29505.exe
2368	Unicorn-4446.exe
1604	Unicorn-40465.exe
2324	Unicorn-34343.exe
2316	Unicorn-2225.exe
2692	Unicorn-46403.exe
2132	Unicorn-38235.exe
2072	Unicorn-29304.exe
2800	Unicorn-50295.exe
2804	Unicorn-51234.exe
2772	Unicorn-1841.exe
2560	Unicorn-21707.exe
2628	Unicorn-45441.exe
1540	Unicorn-46019.exe
1224	Unicorn-7216.exe
872	Unicorn-7216.exe
1884	Unicorn-58463.exe
1684	Unicorn-51182.exe
2020	Unicorn-51447.exe
2472	Unicorn-18509.exe
1712	Unicorn-63891.exe
2872	Unicorn-44026.exe
2196	Unicorn-35473.exe
2588	Unicorn-55339.exe
2652	Unicorn-60170.exe
840	Unicorn-40456.exe
1656	Unicorn-46439.exe
1668	Unicorn-767.exe
2384	Unicorn-49968.exe
1632	Unicorn-11165.exe
1916	Unicorn-45692.exe
2220	Unicorn-25826.exe
2204	Unicorn-6889.exe
3040	Unicorn-17104.exe
2008	Unicorn-21550.exe

Loads dropped DLL 64 IoCs

pid	Process
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1904	Unicorn-55676.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1904	Unicorn-55676.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1808	Unicorn-51436.exe
1808	Unicorn-51436.exe
2896	Unicorn-19086.exe
2896	Unicorn-19086.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1904	Unicorn-55676.exe
1904	Unicorn-55676.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
2428	Unicorn-1654.exe
2428	Unicorn-1654.exe
2896	Unicorn-19086.exe
2896	Unicorn-19086.exe
2456	Unicorn-51410.exe
2456	Unicorn-51410.exe
1904	Unicorn-55676.exe
1904	Unicorn-55676.exe
2768	Unicorn-61061.exe
2768	Unicorn-61061.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1808	Unicorn-51436.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1808	Unicorn-51436.exe
1984	WerFault.exe
2988	Unicorn-62360.exe
2988	Unicorn-62360.exe
2428	Unicorn-1654.exe
2428	Unicorn-1654.exe
580	Unicorn-43786.exe
580	Unicorn-43786.exe
1904	Unicorn-55676.exe
1904	Unicorn-55676.exe
1664	Unicorn-22074.exe
1664	Unicorn-22074.exe
1088	Unicorn-21062.exe
1088	Unicorn-21062.exe
1016	Unicorn-1462.exe
2896	Unicorn-19086.exe
2896	Unicorn-19086.exe
1016	Unicorn-1462.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1808	Unicorn-51436.exe
1808	Unicorn-51436.exe
792	Unicorn-58084.exe
792	Unicorn-58084.exe
2768	Unicorn-61061.exe
2768	Unicorn-61061.exe
1512	Unicorn-715.exe
1512	Unicorn-715.exe
2456	Unicorn-51410.exe
2456	Unicorn-51410.exe
968	Unicorn-41229.exe
968	Unicorn-41229.exe
2988	Unicorn-62360.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1984	2748	WerFault.exe	34
2808	708	WerFault.exe	59
1028	1728	WerFault.exe	55
2916	2856	WerFault.exe	49
2292	2132	WerFault.exe	67
2116	2204	WerFault.exe	95
2756	2872	WerFault.exe	84
1488	2196	WerFault.exe	85
2004	2384	WerFault.exe	91
2404	2020	WerFault.exe	81
2516	1900	WerFault.exe	51
2868	1932	WerFault.exe	139
2820	876	WerFault.exe	123
1196	1988	WerFault.exe	109
2104	2036	WerFault.exe	111
1108	1648	WerFault.exe	118
1464	1168	WerFault.exe	115
3216	2188	WerFault.exe	116
3208	1916	WerFault.exe	94
3404	1512	WerFault.exe	40
3420	940	WerFault.exe	54
3440	1684	WerFault.exe	80
3568	572	WerFault.exe	119
3556	1036	WerFault.exe	125
3544	2344	WerFault.exe	122
3532	1564	WerFault.exe	98
3520	2784	WerFault.exe	102
3508	2248	WerFault.exe	137
3500	1816	WerFault.exe	110
3492	2884	WerFault.exe	151
3472	1664	WerFault.exe	39
3464	792	WerFault.exe	43
3640	2456	WerFault.exe	37
3692	1360	WerFault.exe	50
3680	2324	WerFault.exe	64
3732	2588	WerFault.exe	86
3736	2220	WerFault.exe	93
3708	840	WerFault.exe	88
3772	2452	WerFault.exe	126
3112	2628	WerFault.exe	73
3932	1884	WerFault.exe	78
4164	1668	WerFault.exe	90
4188	1956	WerFault.exe	113
4172	2876	WerFault.exe	112
4180	2660	WerFault.exe	100
4208	2560	WerFault.exe	72
4216	912	WerFault.exe	53
4228	2804	WerFault.exe	70
4308	2412	WerFault.exe	56
4568	3092	WerFault.exe	244
4236	2652	WerFault.exe	87
4224	1604	WerFault.exe	63
4384	2172	WerFault.exe	128
4464	1656	WerFault.exe	89
4856	1632	WerFault.exe	92
4716	2472	WerFault.exe	82
3756	1748	WerFault.exe	166
4260	4908	WerFault.exe	295
5032	3952	WerFault.exe	248
5064	2788	WerFault.exe	168
5300	2212	WerFault.exe	52
5328	2076	WerFault.exe	61
5428	2364	WerFault.exe	133
5420	1244	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-35416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-41446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-47576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-46459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13429.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-48100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-23809.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-24560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-19226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-58084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45786.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6117.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-26256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-15691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50394.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-40456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-52952.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-2698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-1196.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-55676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-38899.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-37782.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-50155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-5851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-43786.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-54438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-51906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-12166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-27907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45577.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-22600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57789.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-3055.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-64037.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-45441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-9547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-10264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-29496.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-6697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-62978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-13074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-57969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-49864.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-21902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unicorn-59500.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe
1904	Unicorn-55676.exe
2896	Unicorn-19086.exe
1808	Unicorn-51436.exe
2428	Unicorn-1654.exe
2748	Unicorn-63107.exe
2456	Unicorn-51410.exe
2768	Unicorn-61061.exe
2988	Unicorn-62360.exe
1664	Unicorn-22074.exe
580	Unicorn-43786.exe
1512	Unicorn-715.exe
792	Unicorn-58084.exe
1088	Unicorn-21062.exe
1016	Unicorn-1462.exe
968	Unicorn-41229.exe
1120	Unicorn-33423.exe
2504	Unicorn-21769.exe
2856	Unicorn-46200.exe
1360	Unicorn-2417.exe
1900	Unicorn-47150.exe
912	Unicorn-16515.exe
2212	Unicorn-33829.exe
1728	Unicorn-60563.exe
940	Unicorn-45511.exe
2412	Unicorn-55510.exe
2156	Unicorn-47897.exe
2424	Unicorn-21385.exe
708	Unicorn-31176.exe
1584	Unicorn-52386.exe
2076	Unicorn-29505.exe
2368	Unicorn-4446.exe
1604	Unicorn-40465.exe
2324	Unicorn-34343.exe
2316	Unicorn-2225.exe
2692	Unicorn-46403.exe
2132	Unicorn-38235.exe
2072	Unicorn-29304.exe
2800	Unicorn-50295.exe
2804	Unicorn-51234.exe
2560	Unicorn-21707.exe
2772	Unicorn-1841.exe
2628	Unicorn-45441.exe
1540	Unicorn-46019.exe
1884	Unicorn-58463.exe
1224	Unicorn-7216.exe
872	Unicorn-7216.exe
1684	Unicorn-51182.exe
2020	Unicorn-51447.exe
1712	Unicorn-63891.exe
2872	Unicorn-44026.exe
2472	Unicorn-18509.exe
2196	Unicorn-35473.exe
2588	Unicorn-55339.exe
2652	Unicorn-60170.exe
840	Unicorn-40456.exe
1668	Unicorn-767.exe
1656	Unicorn-46439.exe
2384	Unicorn-49968.exe
1632	Unicorn-11165.exe
2220	Unicorn-25826.exe
1916	Unicorn-45692.exe
3040	Unicorn-17104.exe
2204	Unicorn-6889.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1904	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	31
PID 2272 wrote to memory of 1904	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	31
PID 2272 wrote to memory of 1904	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	31
PID 2272 wrote to memory of 1904	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	31
PID 1904 wrote to memory of 2896	1904	Unicorn-55676.exe	32
PID 1904 wrote to memory of 2896	1904	Unicorn-55676.exe	32
PID 1904 wrote to memory of 2896	1904	Unicorn-55676.exe	32
PID 1904 wrote to memory of 2896	1904	Unicorn-55676.exe	32
PID 2272 wrote to memory of 1808	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	33
PID 2272 wrote to memory of 1808	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	33
PID 2272 wrote to memory of 1808	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	33
PID 2272 wrote to memory of 1808	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	33
PID 1808 wrote to memory of 2748	1808	Unicorn-51436.exe	34
PID 1808 wrote to memory of 2748	1808	Unicorn-51436.exe	34
PID 1808 wrote to memory of 2748	1808	Unicorn-51436.exe	34
PID 1808 wrote to memory of 2748	1808	Unicorn-51436.exe	34
PID 2896 wrote to memory of 2428	2896	Unicorn-19086.exe	35
PID 2896 wrote to memory of 2428	2896	Unicorn-19086.exe	35
PID 2896 wrote to memory of 2428	2896	Unicorn-19086.exe	35
PID 2896 wrote to memory of 2428	2896	Unicorn-19086.exe	35
PID 1904 wrote to memory of 2456	1904	Unicorn-55676.exe	37
PID 1904 wrote to memory of 2456	1904	Unicorn-55676.exe	37
PID 1904 wrote to memory of 2456	1904	Unicorn-55676.exe	37
PID 1904 wrote to memory of 2456	1904	Unicorn-55676.exe	37
PID 2272 wrote to memory of 2768	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	36
PID 2272 wrote to memory of 2768	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	36
PID 2272 wrote to memory of 2768	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	36
PID 2272 wrote to memory of 2768	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	36
PID 2428 wrote to memory of 2988	2428	Unicorn-1654.exe	38
PID 2428 wrote to memory of 2988	2428	Unicorn-1654.exe	38
PID 2428 wrote to memory of 2988	2428	Unicorn-1654.exe	38
PID 2428 wrote to memory of 2988	2428	Unicorn-1654.exe	38
PID 2896 wrote to memory of 1664	2896	Unicorn-19086.exe	39
PID 2896 wrote to memory of 1664	2896	Unicorn-19086.exe	39
PID 2896 wrote to memory of 1664	2896	Unicorn-19086.exe	39
PID 2896 wrote to memory of 1664	2896	Unicorn-19086.exe	39
PID 2456 wrote to memory of 1512	2456	Unicorn-51410.exe	40
PID 2456 wrote to memory of 1512	2456	Unicorn-51410.exe	40
PID 2456 wrote to memory of 1512	2456	Unicorn-51410.exe	40
PID 2456 wrote to memory of 1512	2456	Unicorn-51410.exe	40
PID 1904 wrote to memory of 580	1904	Unicorn-55676.exe	41
PID 1904 wrote to memory of 580	1904	Unicorn-55676.exe	41
PID 1904 wrote to memory of 580	1904	Unicorn-55676.exe	41
PID 1904 wrote to memory of 580	1904	Unicorn-55676.exe	41
PID 2748 wrote to memory of 1984	2748	Unicorn-63107.exe	42
PID 2748 wrote to memory of 1984	2748	Unicorn-63107.exe	42
PID 2748 wrote to memory of 1984	2748	Unicorn-63107.exe	42
PID 2748 wrote to memory of 1984	2748	Unicorn-63107.exe	42
PID 2768 wrote to memory of 792	2768	Unicorn-61061.exe	43
PID 2768 wrote to memory of 792	2768	Unicorn-61061.exe	43
PID 2768 wrote to memory of 792	2768	Unicorn-61061.exe	43
PID 2768 wrote to memory of 792	2768	Unicorn-61061.exe	43
PID 2272 wrote to memory of 1088	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	44
PID 2272 wrote to memory of 1088	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	44
PID 2272 wrote to memory of 1088	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	44
PID 2272 wrote to memory of 1088	2272	a0f42efdd422c8b6146ffadbd4d788c0N.exe	44
PID 1808 wrote to memory of 1016	1808	Unicorn-51436.exe	45
PID 1808 wrote to memory of 1016	1808	Unicorn-51436.exe	45
PID 1808 wrote to memory of 1016	1808	Unicorn-51436.exe	45
PID 1808 wrote to memory of 1016	1808	Unicorn-51436.exe	45
PID 2988 wrote to memory of 968	2988	Unicorn-62360.exe	46
PID 2988 wrote to memory of 968	2988	Unicorn-62360.exe	46
PID 2988 wrote to memory of 968	2988	Unicorn-62360.exe	46
PID 2988 wrote to memory of 968	2988	Unicorn-62360.exe	46

C:\Users\Admin\AppData\Local\Temp\a0f42efdd422c8b6146ffadbd4d788c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a0f42efdd422c8b6146ffadbd4d788c0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\Unicorn-55676.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-55676.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-19086.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-19086.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62360.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62360.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41229.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41229.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52386.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52386.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40456.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40456.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6709.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6709.exe
        9⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34437.exe
        10⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 216
        10⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 248
        9⤵
        Program crash
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51805.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51805.exe
        8⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38329.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38329.exe
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 216
        9⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41446.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41446.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 224
        9⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61281.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61281.exe
        8⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17590.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17590.exe
        8⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55098.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55098.exe
        8⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52117.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52117.exe
        8⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36424.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36424.exe
        8⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46439.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46439.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50155.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50155.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59901.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59901.exe
        9⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 220
        9⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35515.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35515.exe
        8⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27907.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16583.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16583.exe
        9⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 244
        8⤵
        Program crash
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19328.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19328.exe
        7⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 224
        8⤵
        Program crash
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12609.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12609.exe
        7⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65088.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65088.exe
        8⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45597.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45597.exe
        8⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 224
        8⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26601.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26601.exe
        7⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11641.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11641.exe
        7⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 244
        7⤵
        
        PID:6700
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29505.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-767.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64301.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64301.exe
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 240
        9⤵
        Program crash
        
        PID:3756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 248
        8⤵
        Program crash
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56496.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56496.exe
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 244
        8⤵
        Program crash
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4876.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4876.exe
        7⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45577.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45577.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 236
        7⤵
        Program crash
        
        PID:5328
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-11165.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11165.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49579.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49579.exe
        7⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48718.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48718.exe
        8⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46453.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46453.exe
        8⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 240
        8⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8572.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8572.exe
        7⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35416.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35416.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44513.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44513.exe
        8⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 224
        7⤵
        Program crash
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38899.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38899.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59133.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59133.exe
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 216
        7⤵
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-19507.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19507.exe
        6⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 188
        7⤵
        Program crash
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-54589.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54589.exe
        6⤵
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23631.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23631.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-23087.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-23087.exe
        6⤵
        
        PID:7716
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-35998.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35998.exe
        6⤵
        
        PID:8416
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27827.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27827.exe
        6⤵
        
        PID:8696
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33423.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33423.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-4446.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4446.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49968.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49968.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 240
        8⤵
        Program crash
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20777.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20777.exe
        7⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37753.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37753.exe
        8⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 220
        9⤵
        Program crash
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6603.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6603.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5611.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5611.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37891.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63569.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63569.exe
        8⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50382.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50382.exe
        7⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3350.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3350.exe
        8⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42379.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42379.exe
        8⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60765.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60765.exe
        8⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33461.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33461.exe
        7⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63174.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63174.exe
        7⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64693.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64693.exe
        7⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53736.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53736.exe
        7⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28962.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28962.exe
        7⤵
        
        PID:9036
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-25826.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25826.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44789.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44789.exe
        7⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3746.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3746.exe
        8⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5851.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-5851.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19032.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19032.exe
        9⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46271.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46271.exe
        9⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 236
        8⤵
        Program crash
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 248
        7⤵
        Program crash
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-43895.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43895.exe
        6⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52999.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52999.exe
        7⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29547.exe
        8⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13074.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14931.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14931.exe
        7⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54227.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54227.exe
        7⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49864.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49864.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47311.exe
        6⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41249.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41249.exe
        7⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14549.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14549.exe
        7⤵
        
        PID:8592
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28303.exe
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-29643.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-29643.exe
        6⤵
        
        PID:5716
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64187.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64187.exe
        6⤵
        
        PID:7016
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51390.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51390.exe
        6⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-59402.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59402.exe
        6⤵
        
        PID:8904
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40465.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40465.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41416.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41416.exe
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 224
        7⤵
        Program crash
        
        PID:3532
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-30860.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30860.exe
        6⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37782.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37782.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34626.exe
        7⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52664.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52664.exe
        7⤵
        
        PID:9056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 244
        6⤵
        Program crash
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8094.exe
        5⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-48100.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48100.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28874.exe
        7⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36094.exe
        7⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18491.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18491.exe
        7⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61871.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61871.exe
        7⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49963.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49963.exe
        7⤵
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-41052.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41052.exe
        6⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 224
        7⤵
        Program crash
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8387.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8387.exe
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31767.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31767.exe
        6⤵
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-3055.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3055.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7664
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17018.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17018.exe
        6⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50493.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50493.exe
        6⤵
        
        PID:8552
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3565.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3565.exe
        5⤵
        
        PID:972
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45786.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45786.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 236
        6⤵
        
        PID:5484
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51078.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51078.exe
        5⤵
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-44191.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-44191.exe
        6⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61456.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61456.exe
        6⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26208.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26208.exe
        6⤵
        
        PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52168.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52168.exe
        5⤵
        
        PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-20103.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20103.exe
        5⤵
        
        PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-19226.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19226.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7304
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27728.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27728.exe
        5⤵
        
        PID:8940
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-22074.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-22074.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2417.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2417.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38235.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38235.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 240
        7⤵
        Program crash
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61488.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61488.exe
        6⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 244
        7⤵
        Program crash
        
        PID:3772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 244
        6⤵
        Program crash
        
        PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51234.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51234.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6133.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6133.exe
        6⤵
        
        PID:2068
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37554.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37554.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24406.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24406.exe
        7⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 228
        7⤵
        
        PID:5344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 244
        6⤵
        Program crash
        
        PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34577.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34577.exe
        6⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56687.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56687.exe
        7⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41279.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41279.exe
        7⤵
        
        PID:9028
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32033.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32033.exe
        6⤵
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53722.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53722.exe
        6⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-24357.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24357.exe
        6⤵
        
        PID:7464
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53206.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53206.exe
        6⤵
        
        PID:8200
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33427.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33427.exe
        6⤵
        
        PID:8372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 248
        5⤵
        Program crash
        
        PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16515.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16515.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58463.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58463.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-16907.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-16907.exe
        6⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22377.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22377.exe
        7⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 216
        7⤵
        
        PID:6124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 216
        6⤵
        Program crash
        
        PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17326.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17326.exe
        5⤵
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-46663.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46663.exe
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 236
        6⤵
        
        PID:6004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 244
        5⤵
        Program crash
        
        PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18509.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18509.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25459.exe
        5⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8780.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8780.exe
        6⤵
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        6⤵
        
        PID:5232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224
        6⤵
        
        PID:6404
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-8572.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8572.exe
        5⤵
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64746.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64746.exe
        6⤵
        
        PID:7884
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49531.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49531.exe
        6⤵
        
        PID:8576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 244
        5⤵
        Program crash
        
        PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24504.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24504.exe
      4⤵
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57789.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57789.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        5⤵
        
        PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12321.exe
        5⤵
        
        PID:6392
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40553.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40553.exe
        5⤵
        
        PID:7672
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48406.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48406.exe
        5⤵
        
        PID:8436
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2972.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2972.exe
      4⤵
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32832.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32832.exe
        5⤵
        
        PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6117.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6117.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2101.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2101.exe
      4⤵
      PID:6240
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17752.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17752.exe
      4⤵
      PID:7700
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40198.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40198.exe
      4⤵
      PID:8424
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-91.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-91.exe
      4⤵
      PID:8868
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-51410.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-51410.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-715.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-715.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21385.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-55339.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55339.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46626.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46626.exe
        7⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56512.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56512.exe
        8⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62136.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62136.exe
        9⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39027.exe
        9⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13860.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13860.exe
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 240
        8⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 248
        7⤵
        Program crash
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10040.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10040.exe
        6⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 224
        7⤵
        Program crash
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-56848.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56848.exe
        6⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55441.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55441.exe
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 216
        7⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2978.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40429.exe
        6⤵
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33395.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33395.exe
        6⤵
        
        PID:6784
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-51027.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51027.exe
        6⤵
        
        PID:7564
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-22854.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22854.exe
        6⤵
        
        PID:8672
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60170.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60170.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40321.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40321.exe
        6⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33295.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33295.exe
        7⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58254.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58254.exe
        8⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13874.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13874.exe
        8⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19898.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-19898.exe
        8⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52807.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52807.exe
        7⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30976.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30976.exe
        7⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 248
        7⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-8193.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-8193.exe
        6⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20387.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20387.exe
        7⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 228
        7⤵
        
        PID:6496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 244
        6⤵
        Program crash
        
        PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42167.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42167.exe
        5⤵
        
        PID:2188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224
        6⤵
        Program crash
        
        PID:3216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 228
        5⤵
        Program crash
        
        PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31176.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31176.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 240
        5⤵
        Program crash
        
        PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7216.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7216.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51997.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51997.exe
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 224
        6⤵
        Program crash
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43112.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43112.exe
        5⤵
        
        PID:3432
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-62094.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62094.exe
        6⤵
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13822.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13822.exe
        6⤵
        
        PID:7760
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-37444.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-37444.exe
        6⤵
        
        PID:9200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62650.exe
        5⤵
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-61346.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61346.exe
        5⤵
        
        PID:308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 224
        5⤵
        
        PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15551.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-15551.exe
      4⤵
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53383.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53383.exe
        5⤵
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40702.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40702.exe
        5⤵
        
        PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-43904.exe
        5⤵
        
        PID:6772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 228
        5⤵
        
        PID:7328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 244
      4⤵
      Program crash
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-43786.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-43786.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21769.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-21769.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34343.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34343.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-17104.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17104.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15817.exe
        7⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-62978.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20195.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-20195.exe
        9⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 228
        9⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65251.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65251.exe
        8⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47313.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47313.exe
        8⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58596.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58596.exe
        8⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50497.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50497.exe
        8⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27319.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27319.exe
        8⤵
        
        PID:8700
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13429.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28213.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28213.exe
        8⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22509.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-22509.exe
        8⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45555.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45555.exe
        8⤵
        
        PID:8344
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13257.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13257.exe
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 228
        7⤵
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-9547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9547.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36471.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36471.exe
        7⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58104.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58104.exe
        8⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 248
        7⤵
        Program crash
        
        PID:5420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 244
        6⤵
        Program crash
        
        PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21550.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21550.exe
        5⤵
        Executes dropped EXE
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-7280.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7280.exe
        6⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
        7⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12166.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-12166.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 224
        7⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-27150.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27150.exe
        6⤵
        
        PID:4820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 224
        6⤵
        
        PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30807.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30807.exe
        5⤵
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-40065.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40065.exe
        6⤵
        
        PID:1320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 236
        6⤵
        
        PID:6620
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35843.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35843.exe
        5⤵
        
        PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27408.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27408.exe
        5⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4999.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4999.exe
        5⤵
        
        PID:6440
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26331.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26331.exe
        5⤵
        
        PID:8132
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42506.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42506.exe
        5⤵
        
        PID:8488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2225.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2225.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45692.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45692.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 244
        6⤵
        Program crash
        
        PID:3208
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21156.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21156.exe
        5⤵
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64704.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64704.exe
        6⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49489.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49489.exe
        6⤵
        
        PID:7636
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18673.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18673.exe
        6⤵
        
        PID:8352
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 228
        6⤵
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25893.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25893.exe
        5⤵
        
        PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36074.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36074.exe
        5⤵
        
        PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21534.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21534.exe
        5⤵
        
        PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9265.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9265.exe
        5⤵
        
        PID:8160
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64037.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64037.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8468
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6889.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6889.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 240
        5⤵
        Program crash
        
        PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63081.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63081.exe
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11006.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11006.exe
        5⤵
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-60927.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60927.exe
        6⤵
        
        PID:9096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 228
        5⤵
        Program crash
        
        PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38646.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38646.exe
      4⤵
      PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42525.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42525.exe
        5⤵
        
        PID:6984
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36821.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36821.exe
        5⤵
        
        PID:7944
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30318.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30318.exe
        5⤵
        
        PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40164.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40164.exe
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-18120.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-18120.exe
      4⤵
      PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50632.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50632.exe
      4⤵
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25251.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25251.exe
      4⤵
      PID:7400
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35289.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35289.exe
      4⤵
      PID:8260
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-46200.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-46200.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46403.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46403.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64441.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64441.exe
        5⤵
        
        PID:1648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 240
        6⤵
        Program crash
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52952.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52952.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53490.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53490.exe
        6⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-38995.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38995.exe
        6⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53297.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53297.exe
        6⤵
        
        PID:7680
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-52520.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52520.exe
        6⤵
        
        PID:8784
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59505.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59505.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 212
        6⤵
        
        PID:8120
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60303.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-60303.exe
        5⤵
        
        PID:5396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 244
        5⤵
        
        PID:6836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 236
      4⤵
      Program crash
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29304.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29304.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31001.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-31001.exe
      4⤵
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52589.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52589.exe
        5⤵
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-15945.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15945.exe
        6⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57413.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57413.exe
        6⤵
        
        PID:6668
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32025.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32025.exe
        6⤵
        
        PID:8152
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-6697.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6697.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8872
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36257.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36257.exe
        5⤵
        
        PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-54438.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54438.exe
        5⤵
        
        PID:5412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 248
        5⤵
        
        PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32723.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32723.exe
      4⤵
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30605.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30605.exe
        5⤵
        
        PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-4756.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-4756.exe
        5⤵
        
        PID:7548
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-56006.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-56006.exe
        5⤵
        
        PID:8184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 228
        5⤵
        
        PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-49993.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-49993.exe
      4⤵
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11892.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11892.exe
        5⤵
        
        PID:7756
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-9266.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-9266.exe
        5⤵
        
        PID:8936
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-60303.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-60303.exe
      4⤵
      PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-41104.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-41104.exe
      4⤵
      PID:6804
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29026.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29026.exe
      4⤵
      PID:7444
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50394.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50394.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:9044
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-58436.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-58436.exe
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13585.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-13585.exe
      4⤵
      PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45192.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45192.exe
        5⤵
        
        PID:5524
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1196.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48362.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48362.exe
        5⤵
        
        PID:7312
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58529.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58529.exe
        5⤵
        
        PID:9008
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-53191.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-53191.exe
      4⤵
      PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58989.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-58989.exe
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 248
      4⤵
      PID:6612
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-9077.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-9077.exe
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10482.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10482.exe
      4⤵
      PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52239.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-52239.exe
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 244
      4⤵
      PID:7480
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-55185.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-55185.exe
    3⤵
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-18177.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-18177.exe
    3⤵
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-27795.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-27795.exe
    3⤵
    PID:6792
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-625.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-625.exe
    3⤵
    PID:7644
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-41320.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-41320.exe
    3⤵
    PID:8656
- C:\Users\Admin\AppData\Local\Temp\Unicorn-51436.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-51436.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-63107.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-63107.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 240
      4⤵
      Loads dropped DLL
      Program crash
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-33829.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-33829.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-51447.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-50160.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50160.exe
        6⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 240
        7⤵
        Program crash
        
        PID:1196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 216
        6⤵
        Program crash
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36791.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36791.exe
        5⤵
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61504.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61504.exe
        6⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26051.exe
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 248
        7⤵
        
        PID:2252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 248
        6⤵
        Program crash
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6173.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6173.exe
        5⤵
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-2698.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2698.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39986.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39986.exe
        6⤵
        
        PID:5760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 244
        6⤵
        
        PID:7528
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10741.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10741.exe
        5⤵
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-61285.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-61285.exe
        6⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-26609.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26609.exe
        6⤵
        
        PID:8956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 240
        5⤵
        Program crash
        
        PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44026.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44026.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 244
        5⤵
        Program crash
        
        PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38659.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-38659.exe
      4⤵
      PID:1036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 244
        5⤵
        Program crash
        
        PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-62713.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-62713.exe
      4⤵
      PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64151.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64151.exe
        5⤵
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52239.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52239.exe
        5⤵
        
        PID:844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 244
        5⤵
        
        PID:7488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10649.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-10649.exe
      4⤵
      PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27977.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-27977.exe
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50461.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50461.exe
      4⤵
      PID:6608
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-29496.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-29496.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7620
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17519.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17519.exe
      4⤵
      PID:8676
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-60563.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-60563.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 244
      4⤵
      Program crash
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-51182.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-51182.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51229.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51229.exe
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 224
        5⤵
        Program crash
        
        PID:3500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 248
      4⤵
      Program crash
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-31390.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-31390.exe
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64301.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64301.exe
      4⤵
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59525.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59525.exe
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 236
        5⤵
        
        PID:6588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 228
      4⤵
      Program crash
      PID:4188
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-26583.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-26583.exe
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 216
      4⤵
      PID:6628
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-2606.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-2606.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-44326.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-44326.exe
      4⤵
      PID:7820
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13542.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-13542.exe
      4⤵
      PID:8848
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-30637.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-30637.exe
    3⤵
    PID:5364
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-14768.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-14768.exe
    3⤵
    PID:6764
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-23426.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-23426.exe
    3⤵
    PID:7352
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-65529.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-65529.exe
    3⤵
    PID:8972
- C:\Users\Admin\AppData\Local\Temp\Unicorn-61061.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-61061.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-58084.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-58084.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55510.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55510.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63891.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63891.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-18365.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-18365.exe
        6⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28251.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28251.exe
        7⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1035.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-1035.exe
        8⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 228
        8⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48915.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48915.exe
        7⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55481.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55481.exe
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 248
        7⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-39028.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-39028.exe
        6⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41108.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-41108.exe
        7⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 228
        7⤵
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-13449.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13449.exe
        6⤵
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53178.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53178.exe
        6⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49931.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49931.exe
        6⤵
        
        PID:6796
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-31221.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31221.exe
        6⤵
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-28049.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28049.exe
        6⤵
        
        PID:8900
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32707.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32707.exe
        5⤵
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 220
        6⤵
        Program crash
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46459.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46459.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 224
        6⤵
        
        PID:5552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 248
        5⤵
        Program crash
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35473.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-35473.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 240
        5⤵
        Program crash
        
        PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-579.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-579.exe
      4⤵
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10124.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10124.exe
        5⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 216
        5⤵
        
        PID:5152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 248
      4⤵
      Program crash
      PID:3464
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47897.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47897.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46019.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46019.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64441.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64441.exe
        5⤵
        
        PID:572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 244
        6⤵
        Program crash
        
        PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-13429.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13429.exe
        5⤵
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-65311.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-65311.exe
        6⤵
        
        PID:5852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 228
        6⤵
        
        PID:6480
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25509.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-25509.exe
        5⤵
        
        PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36842.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36842.exe
        5⤵
        
        PID:5440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 220
        5⤵
        
        PID:6556
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32131.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-32131.exe
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 240
        5⤵
        Program crash
        
        PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46459.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46459.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30247.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-30247.exe
        5⤵
        
        PID:5548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 228
        5⤵
        
        PID:6884
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55858.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-55858.exe
      4⤵
      PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51638.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51638.exe
      4⤵
      PID:5376
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24568.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-24568.exe
      4⤵
      PID:6812
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46092.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46092.exe
      4⤵
      PID:7384
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28863.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-28863.exe
      4⤵
      PID:8984
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-7216.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-7216.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3180.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-3180.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 224
        5⤵
        Program crash
        
        PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59257.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59257.exe
      4⤵
      PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63277.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63277.exe
        5⤵
        
        PID:5632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 228
        5⤵
        
        PID:7000
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-1389.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-1389.exe
      4⤵
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64854.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64854.exe
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 244
      4⤵
      PID:6900
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-64176.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-64176.exe
    3⤵
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36938.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36938.exe
      4⤵
      PID:348
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2374.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-2374.exe
        5⤵
        
        PID:6384
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34304.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34304.exe
        5⤵
        
        PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-31885.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-31885.exe
        5⤵
        
        PID:8544
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-58628.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-58628.exe
        5⤵
        
        PID:9076
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-16242.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-16242.exe
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30208.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30208.exe
      4⤵
      PID:5908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 248
      4⤵
      PID:6488
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-29351.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-29351.exe
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 244
      4⤵
      PID:5616
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-10450.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-10450.exe
    3⤵
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-45043.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-45043.exe
    3⤵
    PID:5188
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-28930.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-28930.exe
    3⤵
    PID:6860
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-24161.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-24161.exe
    3⤵
    PID:7656
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-21719.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-21719.exe
    3⤵
    PID:8768
- C:\Users\Admin\AppData\Local\Temp\Unicorn-21062.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-21062.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-47150.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-47150.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50295.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50295.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-21930.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21930.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-10264.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10264.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38026.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38026.exe
        7⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34870.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34870.exe
        7⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52763.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-52763.exe
        7⤵
        
        PID:8556
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-36117.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36117.exe
        6⤵
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-437.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-437.exe
        6⤵
        
        PID:6040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 248
        6⤵
        
        PID:7540
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27710.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27710.exe
        5⤵
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-34980.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34980.exe
        6⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-53625.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-53625.exe
        6⤵
        
        PID:7368
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-63650.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63650.exe
        6⤵
        
        PID:8176
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59500.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59500.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-26256.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-26256.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6096.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6096.exe
        5⤵
        
        PID:7212
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-35051.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-35051.exe
        5⤵
        
        PID:7964
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-57955.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57955.exe
        5⤵
        
        PID:9212
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-52381.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-52381.exe
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 240
        5⤵
        Program crash
        
        PID:2868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 240
      4⤵
      Program crash
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-1841.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-1841.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50736.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50736.exe
      4⤵
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46071.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-46071.exe
        5⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-47576.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47576.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40242.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-40242.exe
        7⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21902.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-21902.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45765.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45765.exe
        6⤵
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49830.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49830.exe
        6⤵
        
        PID:5284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 228
        6⤵
        
        PID:7456
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36646.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36646.exe
        5⤵
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-57969.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-57969.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8088
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-64793.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-64793.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9100
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-27595.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27595.exe
        5⤵
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59587.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-59587.exe
        5⤵
        
        PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-15691.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-15691.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7512
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36670.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-36670.exe
        5⤵
        
        PID:7960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 244
        5⤵
        
        PID:8636
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-17845.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-17845.exe
      4⤵
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-42413.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-42413.exe
        5⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 216
        5⤵
        
        PID:6088
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40699.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40699.exe
      4⤵
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-24560.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-24560.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8104
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-3433.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-3433.exe
        5⤵
        
        PID:8820
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-59802.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-59802.exe
      4⤵
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50922.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50922.exe
      4⤵
      PID:5840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 248
      4⤵
      PID:7504
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-20101.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-20101.exe
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-23809.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-23809.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:280
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-34606.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-34606.exe
        5⤵
        
        PID:5468
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-11881.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-11881.exe
        5⤵
        
        PID:6952
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-38196.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-38196.exe
        5⤵
        
        PID:7984
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-45971.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45971.exe
        5⤵
        
        PID:8648
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64099.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64099.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-2004.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-2004.exe
      4⤵
      PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-30200.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-30200.exe
      4⤵
      PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-25800.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-25800.exe
      4⤵
      PID:8168
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46971.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46971.exe
      4⤵
      PID:8480
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-9236.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-9236.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-14517.exe
      4⤵
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7013.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-7013.exe
      4⤵
      PID:6212
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46888.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46888.exe
      4⤵
      PID:7708
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-5462.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-5462.exe
      4⤵
      PID:8440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 244
      4⤵
      PID:8560
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-6757.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-6757.exe
    3⤵
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-51906.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-51906.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 244
    3⤵
    PID:6748
- C:\Users\Admin\AppData\Local\Temp\Unicorn-45511.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-45511.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-21707.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-21707.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-12635.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-12635.exe
      4⤵
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-48868.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48868.exe
        5⤵
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-33726.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-33726.exe
        6⤵
        
        PID:4748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 236
        6⤵
        
        PID:5660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 248
        5⤵
        Program crash
        
        PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6335.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6335.exe
      4⤵
      PID:2780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 224
        5⤵
        
        PID:5684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 244
      4⤵
      Program crash
      PID:4208
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-30870.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-30870.exe
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 224
      4⤵
      Program crash
      PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 244
    3⤵
    - Program crash
    PID:3420
- C:\Users\Admin\AppData\Local\Temp\Unicorn-45441.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-45441.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-55697.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-55697.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-46071.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-46071.exe
      4⤵
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55817.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55817.exe
        5⤵
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
        5⤵
        
        PID:484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 220
        5⤵
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-43683.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-43683.exe
      4⤵
      PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-32447.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32447.exe
        5⤵
        
        PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-10599.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-10599.exe
        5⤵
        
        PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28600.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28600.exe
        5⤵
        
        PID:7272
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55452.exe
        5⤵
        
        PID:8596
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-40533.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-40533.exe
      4⤵
      PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-6302.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-6302.exe
      4⤵
      PID:5168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 224
      4⤵
      PID:7520
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-21929.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-21929.exe
    3⤵
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63985.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63985.exe
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-50537.exe
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 224
      4⤵
      PID:6476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 240
    3⤵
    - Program crash
    PID:3112
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22600.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22600.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-10824.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-10824.exe
    3⤵
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-51165.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-51165.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 236
      4⤵
      PID:6648
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-56678.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-56678.exe
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-36397.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-36397.exe
      4⤵
      PID:7592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 216
      4⤵
      PID:8832
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-54438.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-54438.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5404
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-49769.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-49769.exe
    3⤵
    PID:6820
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-45562.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-45562.exe
    3⤵
    PID:7408
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-33328.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-33328.exe
    3⤵
    PID:9016
- C:\Users\Admin\AppData\Local\Temp\Unicorn-22658.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-22658.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-51741.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-51741.exe
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 216
    3⤵
    PID:6640
- C:\Users\Admin\AppData\Local\Temp\Unicorn-20857.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-20857.exe
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\Unicorn-29502.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-29502.exe
  2⤵
  PID:5348
- C:\Users\Admin\AppData\Local\Temp\Unicorn-56769.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-56769.exe
  2⤵
  PID:6852
- C:\Users\Admin\AppData\Local\Temp\Unicorn-43027.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-43027.exe
  2⤵
  PID:7440
- C:\Users\Admin\AppData\Local\Temp\Unicorn-62729.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-62729.exe
  2⤵
  PID:9068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-1654.exe

Filesize
468KB

MD5
38a91991cc081dbb96d66497dd490699

SHA1
c3aadeb1a865618ee4f41c2ec5447906142526c0

SHA256
2ac0a0d969bcd9c4f95beb10351e3cafcb7922f6f43062a5d30e1406da49c7fa

SHA512
7827f513f02e01d07827e9ce109d6cc4428972f2eae70e5ff22fba5f54a86b1e2bd4bd13804c78a597945b8e708469bfad59f1d2ebb45dd8dab484a0f1d0e147

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-22854.exe

Filesize
468KB

MD5
d335c90de01ed9fbb7a6d813686eeb1d

SHA1
4ab8f54cc409ee8c8052e6649d7e5d68ed73f474

SHA256
e52a227ffc98bef06d61f58630f84f7ea93f071479eea80a018de725158c4186

SHA512
faf99017b3bc0f8eb7d0197be7f1a9370e014f7f021e3fe976e5655fd1d5dbef6fecbf0f93334ae962a1419a93503b5ca01a951828c07d2abef10886ab875e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-55452.exe

Filesize
468KB

MD5
7a7072d79bb2c19b13bf9ac33581bc82

SHA1
00c9a7ae45363f411f5bb165ba7d6394154964a5

SHA256
52444cd883ca9126c4b10b53ab4891a80b5a793567e68acf22eda15ff6ca5f83

SHA512
02dbe93f1abb61f419cc634d1aa376389f3b24cc8be2d3d7afd52d6796b4c553bfa801b05d336b59b545e091c0513b6ef50d82ed6bf441337eef6fe4368644cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-58084.exe

Filesize
468KB

MD5
bc77e316def912e1bea3f5aa5a395c9c

SHA1
551fc4b02ac18c680fc0f0a7e894881dca1a4b60

SHA256
e33900986fa87dfa618e149d0b2aeab3388cbc4d4e38132efd7a3a46441b6162

SHA512
85129fa2235d8b45e35be665061d9d26ac8c60cc29c4ab630ec9301337d2f5ce04f4713a0712a49ad9a7e14d834386549cec088e531bb9a41329c331d6d12b3e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-1462.exe

Filesize
468KB

MD5
92540cdf1087bf07ce366cbd09abe502

SHA1
7bee8c9e1eaf39e430519175a55cdb6c206ec56a

SHA256
9dc8c0b2a8dad83ec9f9cc0bcd862df84c1c5a6586b1b007beee7cc00e2ee892

SHA512
eb9e485721f31e403435c4aa3927befdb8e9229e96a33be9358f45e5ee1bb148e133e00ddd29cef686f308b586abee55ce06d87b6b5bc4e254e3e3f4260aef2b

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-19086.exe

Filesize
468KB

MD5
9f2f0197237146b59ff6a2f383100174

SHA1
ebf60112f88ec374d89bf7f3b66dd7396a673831

SHA256
e269ce572144bb8a2c4feb1462984a617696240ce515bf001272baa4315fd6b9

SHA512
6b84cdd1e2b4f884f70cddea0fb2de247c6615f60ba39a7fe8fa8e907f1ba57a0eec8ebfe3317e95b4b877dd49aba3d273707f0953647c87aed1ad143d7667a2

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21062.exe

Filesize
468KB

MD5
797820ba85eb07af7418ae12f073f9e3

SHA1
2b8f7b495228227a48a37449862968b0d3e1214d

SHA256
87b4c21491e50bc36dcfcbe410d8cba629267edf03b1b023f64d1acae4a38bce

SHA512
f10e4192a1b2ba12c9df7066c5859030106acbcd23e12f7ca32079a8bfb4fc50521e6e7653b06d36149efd5168a03fd872a96ef3e2590d398e5b754d4d73596d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-21769.exe

Filesize
468KB

MD5
697cbb8844e379adedc9e041cc31228c

SHA1
2209d5bbe0be6060b121f5347cdbe106d3ee0dd1

SHA256
89f0c5edc3cf1045c405358251945b9ec427bf1bea213da51dd1f1b39499d137

SHA512
c16fadaca8ed7cc4544d428f472ecebb59efd3b8c92691878083ba2e59a17b56e2426b957908a7f51e5082767054435b05becf5d2a61135dd04d5781bfc1159e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-22074.exe

Filesize
468KB

MD5
4b1809b387bf90a97d1baa3dcf052dfd

SHA1
68d331ac8242b298c08c3d2e8fd6eba089b09abd

SHA256
55a0257902ddb3c54b4821152899a411d6ba2cf31c5ecf38df79d87ebc7f9dfa

SHA512
8ec68e361d55d7dd0c79cb62f7220c03aed53b040d163e880837a28225f65c0e2e7a11dadd94dd5e5f7d9118b341f4b3dc2160885a9b11ba48bedf05bc3053d4

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-33423.exe

Filesize
468KB

MD5
5a3132275a2eb15b90199f9f756e7c8e

SHA1
60e0c917ce74dac5832d99df390360bef64fa009

SHA256
0260b96cc42c75852b9c4cf073dbf357f380f747f1c9d5945cdcf4878be76062

SHA512
212826a9f22560ef78f55549ef111eee102c40510a95b30dfaa1e8a82855b4cf03bb8a50674994876e9d857e81a338c791cc3c9226411908d367e1875a4c0eab

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-41229.exe

Filesize
468KB

MD5
02ea90f2a3faf65053f62d3fc6d45643

SHA1
824f13ba431c130a920d54c90769e561c42c494a

SHA256
d1f73f5a757fc98a3a4cde4d025bc19c98a9d60b7c7442dbc6ce6a8bc0cefdb0

SHA512
bbc9f2db567832ee1fc29e48055fe2c2f2efec199d45825d9dc926aa2e87a3e7f4bc3ddad732048425c69090b13805a2809834e3efa17f9ce865a533fdebe1eb

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-43786.exe

Filesize
468KB

MD5
8def0bfa31c48682527f708ec9578bfe

SHA1
6588f6931eff017cca208c8caa5359ed37a6569c

SHA256
95bb935d71c7e593321db60428312c374b4e1dd7a59ce928888adcd6f8da840d

SHA512
f363f90d6aff250db6c79136b78b7740f5dbc5c7868fdea5349419235e6efd4bc926418add68735bb3adac19327b8f1b52a262939f7e6ea09aa77ea9efa1aa7d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-51410.exe

Filesize
468KB

MD5
aac1721dab4a9683a8d1077234185013

SHA1
02c6440dce6a1782d8464cffba741bcabe4d4146

SHA256
5078c2bde814ff4dfab158bf33265430a13192a9af3ceb6afe2efddee90486e8

SHA512
9e5528110fe4f21322e0a728f7847b3232c81554022ea705c7ad23a31629d37629ea91122b24268d62879faed1c482ea522fc2ef4a5a637f7808a458d06a66e7

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-51436.exe

Filesize
468KB

MD5
ebf6d9712247e6ea1a4e12de645af4ee

SHA1
bfefadd0eab7332323b72efc5a88b39185a48506

SHA256
1a5444020c92ae28cf9088bcd0306f5a2583e2019b053d0de913b4b0d9e456d3

SHA512
e6c4d9a9052ef787c0074aef937023445a41b026264f15a2f613fea9e36855a2c026439383e7ac64a5994ef3dc728c7bef3f02dd39dc2ef2f710d0a6f2130c27

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-55676.exe

Filesize
468KB

MD5
6ee736f4e83a16faa337a4fbf4ee3fa6

SHA1
3f6732476e0cae96474cb329f23ad80810f9a1ff

SHA256
bf2886116a2fae45498f30d815e0b8264af4c5e703552c44523c0e6137fefddb

SHA512
4123d1439884541d310232a81e24ae73bca023a02411bd02279d81e97c4410d3c7f4b917a802ec84beeb478cd043c217f4070b2b9b77a3b89998a053c2a5c1af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-61061.exe

Filesize
468KB

MD5
c4a7aeb9db0e9f4cd636c59cbca0d1ec

SHA1
36b0c0745023ceedb17de5ae8621af66ac257ed9

SHA256
e378b19b42d219198ad91422caad01ae7cb55c8bcd4cf53fe3971b934a25544d

SHA512
a6210bfc769b201af2f7b3bae90ad8bf2a5cb3e14e7a01a229367ff82c5b22f39355092385b652b0e3ad68a7d9375bedf7ff31e2d4583a4fbd06c38df5ec6668

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-62360.exe

Filesize
468KB

MD5
06bfaf33c08eac7d8a4f4edcf047d335

SHA1
bb5e7fb9d03737482df46169fb544a0e9d706d43

SHA256
8e47eeeed4d8db79af825849d16758ba4f5faa3eedc05f2ec17ddb4292cfba70

SHA512
be1ba7ab749e035eae1519cd374b89b783637393a1316d1f7b3a91462c0f4232ff985941a30526b86da2a6a5da261cfd0889a985db8e4cabef8e6ca867bea2af

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-63107.exe

Filesize
468KB

MD5
bade60993427d15f0540b52180e5945b

SHA1
6257eb736ff928fd4248f1cad433b0e43cdf9561

SHA256
7ccbe207789d3679182410692d72173237db5da61cf68fb448f32e4888215010

SHA512
5f548d16536ead20900c8b508703d46c929ab5058c9d8d399b24c10e6fb1dbcc6360a6046fc01fa134dcc007afa2cc95f1d906760a5c6fd2f263048facb96830

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-715.exe

Filesize
468KB

MD5
0e56cedb01440e137391b583678ebf26

SHA1
7064456cebb19f532c81335fe900065242451154

SHA256
3d2ccda6e65e5e8b5a8d4e4aa452a1e3cb0418cba357a49a3f66a4d93dbecfa2

SHA512
525fe6e8c958154c41b7c2cd8eab695a34b5c05a32a2c7b051f14b787494d4558da7790eb3e0b0e86012bb31fe441ce25ea96cb014ebabcdb2afc83d53c511a8

Download Submit