Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07-11-2023 04:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe
-
Size
7KB
-
MD5
c2ec529699a3647053fbf1c22cdd02c0
-
SHA1
d200353ee1a71d27efcbb6e4e7ec7ddf9caddf21
-
SHA256
41bd82836ecd403fa0c8961d04531112d44e233d355c34d3055fd4db7ffe6383
-
SHA512
b404fd031619f212cf17831dd140b6d4b663089213ec5054a64b6be2be21c0e74558e8e35bf2f3487401824f279e135f3bc06333c248028047beb33a6ba34888
-
SSDEEP
96:G9S32tdsBxSr+IW5g8I1eG6PVqa1JIwqdZM93/:G9HdsXSW5g9eG2zJIwiZMN/
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2280 PurpleMood.scr 2740 PurpleMood.scr 2844 PurpleMood.scr 2632 PurpleMood.scr 2380 PurpleMood.scr 2820 PurpleMood.scr 2552 PurpleMood.scr 1720 PurpleMood.scr 2696 PurpleMood.scr 2828 PurpleMood.scr 2544 PurpleMood.scr 2604 PurpleMood.scr 1064 PurpleMood.scr 2456 PurpleMood.scr 1692 PurpleMood.scr 592 PurpleMood.scr 336 PurpleMood.scr 2940 PurpleMood.scr 2936 PurpleMood.scr 2976 PurpleMood.scr 1696 PurpleMood.scr 2808 PurpleMood.scr 2756 PurpleMood.scr 1964 PurpleMood.scr 1772 PurpleMood.scr 2788 PurpleMood.scr 648 PurpleMood.scr 2876 PurpleMood.scr 2860 PurpleMood.scr 2916 PurpleMood.scr 1764 PurpleMood.scr 1752 PurpleMood.scr 1092 PurpleMood.scr 2452 PurpleMood.scr 1848 PurpleMood.scr 1516 PurpleMood.scr 1492 PurpleMood.scr 1412 PurpleMood.scr 2624 PurpleMood.scr 2304 PurpleMood.scr 1388 PurpleMood.scr 2336 PurpleMood.scr 2628 PurpleMood.scr 1268 PurpleMood.scr 3008 PurpleMood.scr 3024 PurpleMood.scr 1724 PurpleMood.scr 2288 PurpleMood.scr 3020 PurpleMood.scr 3064 PurpleMood.scr 1888 PurpleMood.scr 1512 PurpleMood.scr 2008 PurpleMood.scr 2464 PurpleMood.scr 1380 PurpleMood.scr 400 PurpleMood.scr 1264 PurpleMood.scr 2092 PurpleMood.scr 2416 PurpleMood.scr 1808 PurpleMood.scr 1952 PurpleMood.scr 1636 PurpleMood.scr 1800 PurpleMood.scr 2168 PurpleMood.scr -
Loads dropped DLL 64 IoCs
pid Process 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 2280 PurpleMood.scr 2280 PurpleMood.scr 2740 PurpleMood.scr 2740 PurpleMood.scr 2844 PurpleMood.scr 2844 PurpleMood.scr 2632 PurpleMood.scr 2632 PurpleMood.scr 2380 PurpleMood.scr 2380 PurpleMood.scr 2820 PurpleMood.scr 2820 PurpleMood.scr 2552 PurpleMood.scr 2552 PurpleMood.scr 1720 PurpleMood.scr 1720 PurpleMood.scr 2696 PurpleMood.scr 2696 PurpleMood.scr 2828 PurpleMood.scr 2828 PurpleMood.scr 2544 PurpleMood.scr 2544 PurpleMood.scr 2604 PurpleMood.scr 2604 PurpleMood.scr 1064 PurpleMood.scr 1064 PurpleMood.scr 2456 PurpleMood.scr 2456 PurpleMood.scr 1692 PurpleMood.scr 1692 PurpleMood.scr 592 PurpleMood.scr 592 PurpleMood.scr 336 PurpleMood.scr 336 PurpleMood.scr 2940 PurpleMood.scr 2940 PurpleMood.scr 2936 PurpleMood.scr 2936 PurpleMood.scr 2976 PurpleMood.scr 2976 PurpleMood.scr 1696 PurpleMood.scr 1696 PurpleMood.scr 2808 PurpleMood.scr 2808 PurpleMood.scr 2756 PurpleMood.scr 2756 PurpleMood.scr 1964 PurpleMood.scr 1964 PurpleMood.scr 1772 PurpleMood.scr 1772 PurpleMood.scr 2788 PurpleMood.scr 2788 PurpleMood.scr 648 PurpleMood.scr 648 PurpleMood.scr 2876 PurpleMood.scr 2876 PurpleMood.scr 2860 PurpleMood.scr 2860 PurpleMood.scr 2916 PurpleMood.scr 2916 PurpleMood.scr 1764 PurpleMood.scr 1764 PurpleMood.scr -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 13208 2280 Process not Found 28 13216 2844 Process not Found 29 13232 2712 Process not Found 25 13224 2740 Process not Found 30 13264 2380 Process not Found 32 13272 2632 Process not Found 31 13280 2820 Process not Found 33 13320 1720 Process not Found 35 13304 2552 Process not Found 34 13380 2544 Process not Found 38 13372 2696 Process not Found 36 13388 2828 Process not Found 37 13436 1064 Process not Found 41 13428 2456 Process not Found 40 13404 2604 Process not Found 39 13492 1964 Process not Found 50 13552 2916 Process not Found 57 13544 2876 Process not Found 54 13528 1696 Process not Found 48 13652 1516 Process not Found 63 13644 2452 Process not Found 61 13636 2860 Process not Found 56 13628 1764 Process not Found 59 13620 648 Process not Found 55 13612 1752 Process not Found 58 13596 1772 Process not Found 52 13584 2936 Process not Found 46 13736 1848 Process not Found 62 13728 1092 Process not Found 60 13700 1412 Process not Found 65 13684 2756 Process not Found 49 13536 2788 Process not Found 53 13520 2808 Process not Found 51 13504 336 Process not Found 44 13484 2976 Process not Found 47 13476 2940 Process not Found 45 13460 592 Process not Found 43 13444 1692 Process not Found 42 13796 2336 Process not Found 69 13844 2624 Process not Found 67 13836 1388 Process not Found 68 13820 1492 Process not Found 64 13764 2304 Process not Found 66 13884 3024 Process not Found 73 13876 3020 Process not Found 76 13868 3008 Process not Found 72 13860 1268 Process not Found 71 13900 2288 Process not Found 75 13908 3064 Process not Found 77 14016 1808 Process not Found 87 13984 2092 Process not Found 85 14040 2168 Process not Found 91 14032 1636 Process not Found 89 14024 1952 Process not Found 88 13976 400 Process not Found 83 14008 2416 Process not Found 86 14000 1264 Process not Found 84 13968 2008 Process not Found 80 13960 1380 Process not Found 82 13952 1888 Process not Found 78 13944 2464 Process not Found 81 13936 1512 Process not Found 79 13924 1724 Process not Found 74 13916 2628 Process not Found 70 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2280 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 28 PID 2712 wrote to memory of 2280 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 28 PID 2712 wrote to memory of 2280 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 28 PID 2712 wrote to memory of 2280 2712 NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe 28 PID 2280 wrote to memory of 2740 2280 PurpleMood.scr 30 PID 2280 wrote to memory of 2740 2280 PurpleMood.scr 30 PID 2280 wrote to memory of 2740 2280 PurpleMood.scr 30 PID 2280 wrote to memory of 2740 2280 PurpleMood.scr 30 PID 2740 wrote to memory of 2844 2740 PurpleMood.scr 29 PID 2740 wrote to memory of 2844 2740 PurpleMood.scr 29 PID 2740 wrote to memory of 2844 2740 PurpleMood.scr 29 PID 2740 wrote to memory of 2844 2740 PurpleMood.scr 29 PID 2844 wrote to memory of 2632 2844 PurpleMood.scr 31 PID 2844 wrote to memory of 2632 2844 PurpleMood.scr 31 PID 2844 wrote to memory of 2632 2844 PurpleMood.scr 31 PID 2844 wrote to memory of 2632 2844 PurpleMood.scr 31 PID 2632 wrote to memory of 2380 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2380 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2380 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2380 2632 PurpleMood.scr 32 PID 2380 wrote to memory of 2820 2380 PurpleMood.scr 33 PID 2380 wrote to memory of 2820 2380 PurpleMood.scr 33 PID 2380 wrote to memory of 2820 2380 PurpleMood.scr 33 PID 2380 wrote to memory of 2820 2380 PurpleMood.scr 33 PID 2820 wrote to memory of 2552 2820 PurpleMood.scr 34 PID 2820 wrote to memory of 2552 2820 PurpleMood.scr 34 PID 2820 wrote to memory of 2552 2820 PurpleMood.scr 34 PID 2820 wrote to memory of 2552 2820 PurpleMood.scr 34 PID 2552 wrote to memory of 1720 2552 PurpleMood.scr 35 PID 2552 wrote to memory of 1720 2552 PurpleMood.scr 35 PID 2552 wrote to memory of 1720 2552 PurpleMood.scr 35 PID 2552 wrote to memory of 1720 2552 PurpleMood.scr 35 PID 1720 wrote to memory of 2696 1720 PurpleMood.scr 36 PID 1720 wrote to memory of 2696 1720 PurpleMood.scr 36 PID 1720 wrote to memory of 2696 1720 PurpleMood.scr 36 PID 1720 wrote to memory of 2696 1720 PurpleMood.scr 36 PID 2696 wrote to memory of 2828 2696 PurpleMood.scr 37 PID 2696 wrote to memory of 2828 2696 PurpleMood.scr 37 PID 2696 wrote to memory of 2828 2696 PurpleMood.scr 37 PID 2696 wrote to memory of 2828 2696 PurpleMood.scr 37 PID 2828 wrote to memory of 2544 2828 PurpleMood.scr 38 PID 2828 wrote to memory of 2544 2828 PurpleMood.scr 38 PID 2828 wrote to memory of 2544 2828 PurpleMood.scr 38 PID 2828 wrote to memory of 2544 2828 PurpleMood.scr 38 PID 2544 wrote to memory of 2604 2544 PurpleMood.scr 39 PID 2544 wrote to memory of 2604 2544 PurpleMood.scr 39 PID 2544 wrote to memory of 2604 2544 PurpleMood.scr 39 PID 2544 wrote to memory of 2604 2544 PurpleMood.scr 39 PID 2604 wrote to memory of 1064 2604 PurpleMood.scr 41 PID 2604 wrote to memory of 1064 2604 PurpleMood.scr 41 PID 2604 wrote to memory of 1064 2604 PurpleMood.scr 41 PID 2604 wrote to memory of 1064 2604 PurpleMood.scr 41 PID 1064 wrote to memory of 2456 1064 PurpleMood.scr 40 PID 1064 wrote to memory of 2456 1064 PurpleMood.scr 40 PID 1064 wrote to memory of 2456 1064 PurpleMood.scr 40 PID 1064 wrote to memory of 2456 1064 PurpleMood.scr 40 PID 2456 wrote to memory of 1692 2456 PurpleMood.scr 42 PID 2456 wrote to memory of 1692 2456 PurpleMood.scr 42 PID 2456 wrote to memory of 1692 2456 PurpleMood.scr 42 PID 2456 wrote to memory of 1692 2456 PurpleMood.scr 42 PID 1692 wrote to memory of 592 1692 PurpleMood.scr 43 PID 1692 wrote to memory of 592 1692 PurpleMood.scr 43 PID 1692 wrote to memory of 592 1692 PurpleMood.scr 43 PID 1692 wrote to memory of 592 1692 PurpleMood.scr 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c2ec529699a3647053fbf1c22cdd02c0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648
-
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
PID:2624
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1380 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1808 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵PID:1616
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵PID:1340
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵PID:964
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵PID:1624
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵PID:2376
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵PID:1640
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵PID:1044
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵PID:616
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵PID:1856
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵PID:1536
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵PID:1656
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵PID:2236
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵PID:2088
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵PID:1436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr1⤵
- Adds Run key to start application
PID:2988 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵PID:2228
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵PID:868
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵PID:2132
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵PID:1160
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵PID:896
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵PID:1780
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Adds Run key to start application
PID:952 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵PID:2140
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵PID:2272
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵PID:2892
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵PID:2656
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵PID:1580
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵PID:2360
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵PID:1684
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵PID:2676
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵PID:2680
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵PID:2732
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵PID:2688
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵PID:2956
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵PID:2548
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Adds Run key to start application
PID:2836 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵PID:2528
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵PID:876
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵PID:2832
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵PID:2692
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵PID:2568
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵PID:2600
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵PID:2584
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Adds Run key to start application
PID:2284 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵PID:528
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵PID:2108
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵PID:804
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵PID:948
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵PID:2952
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵PID:700
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵PID:2900
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵PID:2716
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵PID:1948
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵PID:1364
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵PID:2872
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵PID:1972
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵PID:1168
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵PID:2908
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵PID:2880
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵PID:1880
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵PID:1472
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵PID:2224
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵PID:2480
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵PID:2212
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵PID:1132
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵PID:2384
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵PID:2012
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵PID:852
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵PID:1652
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵PID:2312
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵PID:2404
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵PID:1224
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵PID:1648
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵PID:980
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵PID:1812
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵PID:1052
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵PID:988
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵PID:2488
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:2460
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:1760
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵PID:2608
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵PID:900
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵PID:1776
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵PID:3068
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:2620
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵PID:1592
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵PID:2744
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:2840
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵PID:2704
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵PID:2520
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵PID:2700
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:2428
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵PID:788
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵PID:2504
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵PID:2764
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵PID:580
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:940
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵PID:2448
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵PID:2036
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵PID:3012
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:1116
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵PID:1700
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵PID:2424
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:1532
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:1036
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵
- Adds Run key to start application
PID:764 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:820
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵PID:2432
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:848
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵PID:2160
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:2096
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵
- Adds Run key to start application
PID:696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:2104
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:2672
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵PID:2724
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵PID:2848
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:768
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵
- Adds Run key to start application
PID:2664 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵PID:2944
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵PID:2148
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵PID:1788
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:2968
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵PID:1368
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵PID:1792
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:3076
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵
- Adds Run key to start application
PID:3084 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵PID:3092
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:3100
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:3108
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵PID:3116
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:3124
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵PID:3132
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵
- Adds Run key to start application
PID:3140 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr122⤵PID:3148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-