Analysis
-
max time kernel
31s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 19:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49e0fff28913bfe59cb84adab4044a20N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
49e0fff28913bfe59cb84adab4044a20N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
49e0fff28913bfe59cb84adab4044a20N.exe
-
Size
7KB
-
MD5
49e0fff28913bfe59cb84adab4044a20
-
SHA1
7d22460b870868a9ca73ae515c319105e706a00c
-
SHA256
bb1ae302abdd89a1d90832e3fcf869e6f8ef21688860fae1ae4607d5d55a51c1
-
SHA512
cf550e90d58111b3d04b7eca8eb98300d13e956c1fdd2ecc397d9de7ecb0d827e424ba87a6284ff588cefa818254b5aabcf8226917e4ef197a26d0db77e592ca
-
SSDEEP
96:Gk32tdsBxJFIWI9NVc1eG6PWna1JIwmidimcXOhg:GJdsXwWENSeG12JIwmKimuO6
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1440 PurpleMood.scr 4948 PurpleMood.scr 4268 PurpleMood.scr 2908 PurpleMood.scr 3040 PurpleMood.scr 3616 PurpleMood.scr 3560 PurpleMood.scr 4412 PurpleMood.scr 2652 PurpleMood.scr 3144 PurpleMood.scr 3712 PurpleMood.scr 2332 PurpleMood.scr 4208 PurpleMood.scr 548 PurpleMood.scr 5096 PurpleMood.scr 3240 PurpleMood.scr 800 PurpleMood.scr 1508 PurpleMood.scr 3368 PurpleMood.scr 2428 PurpleMood.scr 4628 PurpleMood.scr 964 PurpleMood.scr 1772 PurpleMood.scr 2692 PurpleMood.scr 1544 PurpleMood.scr 1968 PurpleMood.scr 2644 PurpleMood.scr 3520 PurpleMood.scr 2320 PurpleMood.scr 3808 PurpleMood.scr 3284 PurpleMood.scr 3736 PurpleMood.scr 2604 PurpleMood.scr 1624 PurpleMood.scr 3048 PurpleMood.scr 2244 PurpleMood.scr 736 PurpleMood.scr 2568 PurpleMood.scr 4692 PurpleMood.scr 2396 PurpleMood.scr 2400 PurpleMood.scr 3584 PurpleMood.scr 4196 PurpleMood.scr 1048 PurpleMood.scr 2356 PurpleMood.scr 1648 PurpleMood.scr 1044 PurpleMood.scr 1088 PurpleMood.scr 2148 PurpleMood.scr 2304 PurpleMood.scr 1748 PurpleMood.scr 3572 PurpleMood.scr 4496 PurpleMood.scr 4456 PurpleMood.scr 4304 PurpleMood.scr 1068 PurpleMood.scr 4448 PurpleMood.scr 1028 PurpleMood.scr 1016 PurpleMood.scr 720 PurpleMood.scr 2760 PurpleMood.scr 4156 PurpleMood.scr 4256 PurpleMood.scr 4324 PurpleMood.scr -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" 49e0fff28913bfe59cb84adab4044a20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 3996 4268 Process not Found 86 23528 3616 Process not Found 89 2168 4948 Process not Found 85 3960 3280 Process not Found 83 4028 5236 Process not Found 194 4828 5964 Process not Found 229 5896 5856 Process not Found 245 7164 5980 Process not Found 230 992 6276 Process not Found 301 3308 8348 Process not Found 372 8656 8496 Process not Found 379 7368 8932 Process not Found 422 7996 10032 Process not Found 467 8844 10540 Process not Found 504 9000 10796 Process not Found 516 5524 11204 Process not Found 536 6424 10828 Process not Found 550 7060 11584 Process not Found 574 10996 11520 Process not Found 571 8704 12360 Process not Found 621 9564 12520 Process not Found 631 10696 12616 Process not Found 637 6464 12824 Process not Found 650 11228 13248 Process not Found 676 11328 13488 Process not Found 691 5412 13440 Process not Found 688 12304 13804 Process not Found 710 7900 14484 Process not Found 757 11136 14808 Process not Found 777 13164 14792 Process not Found 776 3508 15212 Process not Found 801 14368 16248 Process not Found 865 13740 16464 Process not Found 880 8124 16560 Process not Found 886 9768 16744 Process not Found 897 8368 17308 Process not Found 931 5784 17340 Process not Found 933 10236 17404 Process not Found 937 15476 17532 Process not Found 946 15904 17888 Process not Found 968 14872 17988 Process not Found 974 15004 18052 Process not Found 978 9584 18308 Process not Found 994 13528 18496 Process not Found 1006 6956 18692 Process not Found 1018 10884 18724 Process not Found 1020 13364 19124 Process not Found 1045 16360 19588 Process not Found 1074 10252 19796 Process not Found 1087 22796 19472 Process not Found 1067 16668 20004 Process not Found 1100 16956 20232 Process not Found 1114 17016 20360 Process not Found 1122 15136 20648 Process not Found 1140 17996 20860 Process not Found 1153 18204 21180 Process not Found 1173 17660 21132 Process not Found 1170 12720 21420 Process not Found 1188 15868 21660 Process not Found 1203 18844 21980 Process not Found 1223 10076 22012 Process not Found 1225 18436 22192 Process not Found 1236 7520 22176 Process not Found 1235 19360 22464 Process not Found 1253 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 1440 3280 49e0fff28913bfe59cb84adab4044a20N.exe 84 PID 3280 wrote to memory of 1440 3280 49e0fff28913bfe59cb84adab4044a20N.exe 84 PID 3280 wrote to memory of 1440 3280 49e0fff28913bfe59cb84adab4044a20N.exe 84 PID 1440 wrote to memory of 4948 1440 PurpleMood.scr 85 PID 1440 wrote to memory of 4948 1440 PurpleMood.scr 85 PID 1440 wrote to memory of 4948 1440 PurpleMood.scr 85 PID 4948 wrote to memory of 4268 4948 PurpleMood.scr 86 PID 4948 wrote to memory of 4268 4948 PurpleMood.scr 86 PID 4948 wrote to memory of 4268 4948 PurpleMood.scr 86 PID 4268 wrote to memory of 2908 4268 PurpleMood.scr 87 PID 4268 wrote to memory of 2908 4268 PurpleMood.scr 87 PID 4268 wrote to memory of 2908 4268 PurpleMood.scr 87 PID 2908 wrote to memory of 3040 2908 PurpleMood.scr 88 PID 2908 wrote to memory of 3040 2908 PurpleMood.scr 88 PID 2908 wrote to memory of 3040 2908 PurpleMood.scr 88 PID 3040 wrote to memory of 3616 3040 PurpleMood.scr 89 PID 3040 wrote to memory of 3616 3040 PurpleMood.scr 89 PID 3040 wrote to memory of 3616 3040 PurpleMood.scr 89 PID 3616 wrote to memory of 3560 3616 PurpleMood.scr 90 PID 3616 wrote to memory of 3560 3616 PurpleMood.scr 90 PID 3616 wrote to memory of 3560 3616 PurpleMood.scr 90 PID 3560 wrote to memory of 4412 3560 PurpleMood.scr 91 PID 3560 wrote to memory of 4412 3560 PurpleMood.scr 91 PID 3560 wrote to memory of 4412 3560 PurpleMood.scr 91 PID 4412 wrote to memory of 2652 4412 PurpleMood.scr 92 PID 4412 wrote to memory of 2652 4412 PurpleMood.scr 92 PID 4412 wrote to memory of 2652 4412 PurpleMood.scr 92 PID 2652 wrote to memory of 3144 2652 PurpleMood.scr 93 PID 2652 wrote to memory of 3144 2652 PurpleMood.scr 93 PID 2652 wrote to memory of 3144 2652 PurpleMood.scr 93 PID 3144 wrote to memory of 3712 3144 PurpleMood.scr 94 PID 3144 wrote to memory of 3712 3144 PurpleMood.scr 94 PID 3144 wrote to memory of 3712 3144 PurpleMood.scr 94 PID 3712 wrote to memory of 2332 3712 PurpleMood.scr 95 PID 3712 wrote to memory of 2332 3712 PurpleMood.scr 95 PID 3712 wrote to memory of 2332 3712 PurpleMood.scr 95 PID 2332 wrote to memory of 4208 2332 PurpleMood.scr 96 PID 2332 wrote to memory of 4208 2332 PurpleMood.scr 96 PID 2332 wrote to memory of 4208 2332 PurpleMood.scr 96 PID 4208 wrote to memory of 548 4208 PurpleMood.scr 97 PID 4208 wrote to memory of 548 4208 PurpleMood.scr 97 PID 4208 wrote to memory of 548 4208 PurpleMood.scr 97 PID 548 wrote to memory of 5096 548 PurpleMood.scr 98 PID 548 wrote to memory of 5096 548 PurpleMood.scr 98 PID 548 wrote to memory of 5096 548 PurpleMood.scr 98 PID 5096 wrote to memory of 3240 5096 PurpleMood.scr 99 PID 5096 wrote to memory of 3240 5096 PurpleMood.scr 99 PID 5096 wrote to memory of 3240 5096 PurpleMood.scr 99 PID 3240 wrote to memory of 800 3240 PurpleMood.scr 100 PID 3240 wrote to memory of 800 3240 PurpleMood.scr 100 PID 3240 wrote to memory of 800 3240 PurpleMood.scr 100 PID 800 wrote to memory of 1508 800 PurpleMood.scr 101 PID 800 wrote to memory of 1508 800 PurpleMood.scr 101 PID 800 wrote to memory of 1508 800 PurpleMood.scr 101 PID 1508 wrote to memory of 3368 1508 PurpleMood.scr 102 PID 1508 wrote to memory of 3368 1508 PurpleMood.scr 102 PID 1508 wrote to memory of 3368 1508 PurpleMood.scr 102 PID 3368 wrote to memory of 2428 3368 PurpleMood.scr 103 PID 3368 wrote to memory of 2428 3368 PurpleMood.scr 103 PID 3368 wrote to memory of 2428 3368 PurpleMood.scr 103 PID 2428 wrote to memory of 4628 2428 PurpleMood.scr 104 PID 2428 wrote to memory of 4628 2428 PurpleMood.scr 104 PID 2428 wrote to memory of 4628 2428 PurpleMood.scr 104 PID 4628 wrote to memory of 964 4628 PurpleMood.scr 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\49e0fff28913bfe59cb84adab4044a20N.exe"C:\Users\Admin\AppData\Local\Temp\49e0fff28913bfe59cb84adab4044a20N.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
- Adds Run key to start application
PID:964 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1544 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵PID:4492
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:1572
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:2632
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵PID:3784
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵PID:4024
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵PID:4648
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:1436
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵PID:1056
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:4272
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵PID:4984
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵PID:4916
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:4696
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵PID:4764
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵PID:2836
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵PID:5116
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:5080
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵PID:4548
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵PID:4380
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:4408
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵PID:3944
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵PID:3952
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:3112
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:4420
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:2064
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵PID:4740
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:3124
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵PID:4424
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:4468
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵PID:1724
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:1640
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:2104
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵PID:4828
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵PID:5128
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:5148
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵PID:5192
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵PID:5212
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵PID:5236
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:5252
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵PID:5280
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵PID:5300
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:5324
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵PID:5344
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵PID:5364
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:5376
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:5404
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵PID:5432
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:5448
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵PID:5468
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵
- System Location Discovery: System Language Discovery
PID:5488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-