Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 12:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe
-
Size
7KB
-
MD5
9f26d400835b84375c623f3a28457290
-
SHA1
e0a419d076a85f01ad756717544386896ddf8b89
-
SHA256
ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1
-
SHA512
717f4d212de942ffc9bd02930c05db6dbf403c56923830db9fe51240b7f1e4ce57da8f4f0724a6ec8cdfe69d4534f142f84a6771f5233c74390c99fb225f9c18
-
SSDEEP
96:G1i32tdsBxIEIW5Bf1eG6P5Ua1JIwTdJOO:G1XdsXYWLdeGyVJIwxJO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2224 PurpleMood.scr 2004 PurpleMood.scr 2612 PurpleMood.scr 2632 PurpleMood.scr 2708 PurpleMood.scr 2892 PurpleMood.scr 2636 PurpleMood.scr 2760 PurpleMood.scr 2728 PurpleMood.scr 2752 PurpleMood.scr 2616 PurpleMood.scr 2516 PurpleMood.scr 2968 PurpleMood.scr 1640 PurpleMood.scr 2604 PurpleMood.scr 2800 PurpleMood.scr 2848 PurpleMood.scr 300 PurpleMood.scr 1932 PurpleMood.scr 1528 PurpleMood.scr 1696 PurpleMood.scr 1992 PurpleMood.scr 1660 PurpleMood.scr 1604 PurpleMood.scr 1560 PurpleMood.scr 2056 PurpleMood.scr 2064 PurpleMood.scr 2060 PurpleMood.scr 820 PurpleMood.scr 2904 PurpleMood.scr 2484 PurpleMood.scr 552 PurpleMood.scr 668 PurpleMood.scr 480 PurpleMood.scr 984 PurpleMood.scr 2684 PurpleMood.scr 1484 PurpleMood.scr 1096 PurpleMood.scr 2972 PurpleMood.scr 1780 PurpleMood.scr 1072 PurpleMood.scr 856 PurpleMood.scr 832 PurpleMood.scr 2448 PurpleMood.scr 1832 PurpleMood.scr 2316 PurpleMood.scr 2040 PurpleMood.scr 2108 PurpleMood.scr 1652 PurpleMood.scr 1536 PurpleMood.scr 956 PurpleMood.scr 1368 PurpleMood.scr 1040 PurpleMood.scr 2888 PurpleMood.scr 1768 PurpleMood.scr 752 PurpleMood.scr 2148 PurpleMood.scr 1936 PurpleMood.scr 2176 PurpleMood.scr 2312 PurpleMood.scr 756 PurpleMood.scr 2280 PurpleMood.scr 1488 PurpleMood.scr 604 PurpleMood.scr -
Loads dropped DLL 64 IoCs
pid Process 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 2224 PurpleMood.scr 2224 PurpleMood.scr 2004 PurpleMood.scr 2004 PurpleMood.scr 2612 PurpleMood.scr 2612 PurpleMood.scr 2632 PurpleMood.scr 2632 PurpleMood.scr 2708 PurpleMood.scr 2708 PurpleMood.scr 2892 PurpleMood.scr 2892 PurpleMood.scr 2636 PurpleMood.scr 2636 PurpleMood.scr 2760 PurpleMood.scr 2760 PurpleMood.scr 2728 PurpleMood.scr 2728 PurpleMood.scr 2752 PurpleMood.scr 2752 PurpleMood.scr 2616 PurpleMood.scr 2616 PurpleMood.scr 2516 PurpleMood.scr 2516 PurpleMood.scr 2968 PurpleMood.scr 2968 PurpleMood.scr 1640 PurpleMood.scr 1640 PurpleMood.scr 2604 PurpleMood.scr 2604 PurpleMood.scr 2800 PurpleMood.scr 2800 PurpleMood.scr 2848 PurpleMood.scr 2848 PurpleMood.scr 300 PurpleMood.scr 300 PurpleMood.scr 1932 PurpleMood.scr 1932 PurpleMood.scr 1528 PurpleMood.scr 1528 PurpleMood.scr 1696 PurpleMood.scr 1696 PurpleMood.scr 1992 PurpleMood.scr 1992 PurpleMood.scr 1660 PurpleMood.scr 1660 PurpleMood.scr 1604 PurpleMood.scr 1604 PurpleMood.scr 1560 PurpleMood.scr 1560 PurpleMood.scr 2056 PurpleMood.scr 2056 PurpleMood.scr 2064 PurpleMood.scr 2064 PurpleMood.scr 2060 PurpleMood.scr 2060 PurpleMood.scr 820 PurpleMood.scr 820 PurpleMood.scr 2904 PurpleMood.scr 2904 PurpleMood.scr 2484 PurpleMood.scr 2484 PurpleMood.scr -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" PurpleMood.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 16564 2224 Process not Found 28 16556 2412 Process not Found 27 16584 2004 Process not Found 29 16600 16576 Process not Found 1901 16608 2612 Process not Found 30 16616 2632 Process not Found 31 16624 2708 Process not Found 32 16640 2892 Process not Found 33 16632 2636 Process not Found 34 16648 2760 Process not Found 35 16656 2728 Process not Found 36 16672 2616 Process not Found 38 16684 2752 Process not Found 37 16736 2516 Process not Found 39 16744 2968 Process not Found 40 16756 1640 Process not Found 41 16780 2604 Process not Found 42 16860 2848 Process not Found 44 16800 2800 Process not Found 43 16884 300 Process not Found 45 16892 1932 Process not Found 46 16940 2904 Process not Found 57 16932 2056 Process not Found 53 16924 1604 Process not Found 51 16916 2060 Process not Found 55 16908 1992 Process not Found 49 16900 1528 Process not Found 47 16948 1696 Process not Found 48 16980 856 Process not Found 69 17012 2108 Process not Found 75 17028 2888 Process not Found 81 17036 1368 Process not Found 79 17020 1936 Process not Found 85 17140 820 Process not Found 56 17156 2484 Process not Found 58 17108 1660 Process not Found 50 17100 832 Process not Found 70 17084 2868 Process not Found 97 17160 2276 Process not Found 105 17068 1052 Process not Found 95 17076 604 Process not Found 91 17148 2884 Process not Found 107 17116 2796 Process not Found 101 17092 1584 Process not Found 99 17060 1644 Process not Found 93 17052 2280 Process not Found 89 17316 756 Process not Found 88 17044 2312 Process not Found 87 17324 984 Process not Found 62 17236 2040 Process not Found 74 17308 2148 Process not Found 84 17244 2448 Process not Found 71 17300 1488 Process not Found 90 17268 1484 Process not Found 64 17212 1832 Process not Found 72 17188 1072 Process not Found 68 17204 956 Process not Found 78 17172 2064 Process not Found 54 17180 2972 Process not Found 66 17196 2648 Process not Found 103 17260 752 Process not Found 83 17128 668 Process not Found 60 17228 1536 Process not Found 77 17220 2764 Process not Found 109 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2224 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2224 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2224 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2224 2412 ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe 28 PID 2224 wrote to memory of 2004 2224 PurpleMood.scr 29 PID 2224 wrote to memory of 2004 2224 PurpleMood.scr 29 PID 2224 wrote to memory of 2004 2224 PurpleMood.scr 29 PID 2224 wrote to memory of 2004 2224 PurpleMood.scr 29 PID 2004 wrote to memory of 2612 2004 PurpleMood.scr 30 PID 2004 wrote to memory of 2612 2004 PurpleMood.scr 30 PID 2004 wrote to memory of 2612 2004 PurpleMood.scr 30 PID 2004 wrote to memory of 2612 2004 PurpleMood.scr 30 PID 2612 wrote to memory of 2632 2612 PurpleMood.scr 31 PID 2612 wrote to memory of 2632 2612 PurpleMood.scr 31 PID 2612 wrote to memory of 2632 2612 PurpleMood.scr 31 PID 2612 wrote to memory of 2632 2612 PurpleMood.scr 31 PID 2632 wrote to memory of 2708 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2708 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2708 2632 PurpleMood.scr 32 PID 2632 wrote to memory of 2708 2632 PurpleMood.scr 32 PID 2708 wrote to memory of 2892 2708 PurpleMood.scr 33 PID 2708 wrote to memory of 2892 2708 PurpleMood.scr 33 PID 2708 wrote to memory of 2892 2708 PurpleMood.scr 33 PID 2708 wrote to memory of 2892 2708 PurpleMood.scr 33 PID 2892 wrote to memory of 2636 2892 PurpleMood.scr 34 PID 2892 wrote to memory of 2636 2892 PurpleMood.scr 34 PID 2892 wrote to memory of 2636 2892 PurpleMood.scr 34 PID 2892 wrote to memory of 2636 2892 PurpleMood.scr 34 PID 2636 wrote to memory of 2760 2636 PurpleMood.scr 35 PID 2636 wrote to memory of 2760 2636 PurpleMood.scr 35 PID 2636 wrote to memory of 2760 2636 PurpleMood.scr 35 PID 2636 wrote to memory of 2760 2636 PurpleMood.scr 35 PID 2760 wrote to memory of 2728 2760 PurpleMood.scr 36 PID 2760 wrote to memory of 2728 2760 PurpleMood.scr 36 PID 2760 wrote to memory of 2728 2760 PurpleMood.scr 36 PID 2760 wrote to memory of 2728 2760 PurpleMood.scr 36 PID 2728 wrote to memory of 2752 2728 PurpleMood.scr 37 PID 2728 wrote to memory of 2752 2728 PurpleMood.scr 37 PID 2728 wrote to memory of 2752 2728 PurpleMood.scr 37 PID 2728 wrote to memory of 2752 2728 PurpleMood.scr 37 PID 2752 wrote to memory of 2616 2752 PurpleMood.scr 38 PID 2752 wrote to memory of 2616 2752 PurpleMood.scr 38 PID 2752 wrote to memory of 2616 2752 PurpleMood.scr 38 PID 2752 wrote to memory of 2616 2752 PurpleMood.scr 38 PID 2616 wrote to memory of 2516 2616 PurpleMood.scr 39 PID 2616 wrote to memory of 2516 2616 PurpleMood.scr 39 PID 2616 wrote to memory of 2516 2616 PurpleMood.scr 39 PID 2616 wrote to memory of 2516 2616 PurpleMood.scr 39 PID 2516 wrote to memory of 2968 2516 PurpleMood.scr 40 PID 2516 wrote to memory of 2968 2516 PurpleMood.scr 40 PID 2516 wrote to memory of 2968 2516 PurpleMood.scr 40 PID 2516 wrote to memory of 2968 2516 PurpleMood.scr 40 PID 2968 wrote to memory of 1640 2968 PurpleMood.scr 41 PID 2968 wrote to memory of 1640 2968 PurpleMood.scr 41 PID 2968 wrote to memory of 1640 2968 PurpleMood.scr 41 PID 2968 wrote to memory of 1640 2968 PurpleMood.scr 41 PID 1640 wrote to memory of 2604 1640 PurpleMood.scr 42 PID 1640 wrote to memory of 2604 1640 PurpleMood.scr 42 PID 1640 wrote to memory of 2604 1640 PurpleMood.scr 42 PID 1640 wrote to memory of 2604 1640 PurpleMood.scr 42 PID 2604 wrote to memory of 2800 2604 PurpleMood.scr 43 PID 2604 wrote to memory of 2800 2604 PurpleMood.scr 43 PID 2604 wrote to memory of 2800 2604 PurpleMood.scr 43 PID 2604 wrote to memory of 2800 2604 PurpleMood.scr 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ab5ed94116402d2f52c7bc8cf089eb329ace87f180d5e2adcd617f2c183c0cf1_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1040 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵PID:3004
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:1644
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:1304
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵PID:1052
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵
- Adds Run key to start application
PID:2420 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵PID:2868
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵PID:2012
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:1584
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵PID:1704
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵PID:2796
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:2360
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵PID:2648
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵PID:2744
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵PID:2276
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:2628
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵PID:2884
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵PID:3056
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵PID:2764
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵PID:2664
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:2528
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵PID:2196
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵PID:2640
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵PID:2500
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:2496
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵PID:2572
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵PID:2576
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:2188
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:2756
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵PID:2352
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:1904
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵PID:2716
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:2712
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵PID:2780
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:2808
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:2956
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:1944
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵PID:1968
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵PID:1948
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:336
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵PID:1648
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵PID:2460
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵PID:2568
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵PID:2308
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:1272
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵PID:2076
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵PID:2120
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:2908
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵PID:2052
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵PID:2296
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:784
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:1144
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵PID:836
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:568
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵PID:1464
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-