Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 04:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe
-
Size
7KB
-
MD5
a8bd8dfde3efe6d57c15560b62e939ae
-
SHA1
88e90237d11c74f36b87fd4dcd04d3fb7b0d7497
-
SHA256
e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251
-
SHA512
cbc0913ff0461f1890374be6aaadf63563d3e175316b626d7edae9a64860fa5358a11aa287bd6b700eaf6620655ac55b788ea78895137307c614e0409dcb61dc
-
SSDEEP
96:wr5N2tdaQIBrKcIWwH1coKdxz8baaQiQC1+a9c5gF:wodnereWwV3KItQiQkXXF
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2520 PurpleMood.scr 1652 PurpleMood.scr 400 PurpleMood.scr 2888 PurpleMood.scr 2988 PurpleMood.scr 3048 PurpleMood.scr 1588 PurpleMood.scr 3036 PurpleMood.scr 3024 PurpleMood.scr 2568 PurpleMood.scr 2732 PurpleMood.scr 2588 PurpleMood.scr 2712 PurpleMood.scr 2632 PurpleMood.scr 2464 PurpleMood.scr 2636 PurpleMood.scr 2436 PurpleMood.scr 2704 PurpleMood.scr 596 PurpleMood.scr 1736 PurpleMood.scr 108 PurpleMood.scr 748 PurpleMood.scr 1624 PurpleMood.scr 1740 PurpleMood.scr 1784 PurpleMood.scr 1644 PurpleMood.scr 2508 PurpleMood.scr 2428 PurpleMood.scr 1004 PurpleMood.scr 1668 PurpleMood.scr 1684 PurpleMood.scr 2824 PurpleMood.scr 2700 PurpleMood.scr 2696 PurpleMood.scr 2780 PurpleMood.scr 2944 PurpleMood.scr 2916 PurpleMood.scr 2812 PurpleMood.scr 2480 PurpleMood.scr 2960 PurpleMood.scr 2672 PurpleMood.scr 2792 PurpleMood.scr 2332 PurpleMood.scr 2540 PurpleMood.scr 2064 PurpleMood.scr 1924 PurpleMood.scr 636 PurpleMood.scr 572 PurpleMood.scr 1100 PurpleMood.scr 352 PurpleMood.scr 2104 PurpleMood.scr 1596 PurpleMood.scr 948 PurpleMood.scr 1520 PurpleMood.scr 1136 PurpleMood.scr 2340 PurpleMood.scr 1680 PurpleMood.scr 784 PurpleMood.scr 2816 PurpleMood.scr 2272 PurpleMood.scr 1976 PurpleMood.scr 1204 PurpleMood.scr 1968 PurpleMood.scr 900 PurpleMood.scr -
Loads dropped DLL 64 IoCs
pid Process 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 2520 PurpleMood.scr 2520 PurpleMood.scr 1652 PurpleMood.scr 1652 PurpleMood.scr 400 PurpleMood.scr 400 PurpleMood.scr 2888 PurpleMood.scr 2888 PurpleMood.scr 2988 PurpleMood.scr 2988 PurpleMood.scr 3048 PurpleMood.scr 3048 PurpleMood.scr 1588 PurpleMood.scr 1588 PurpleMood.scr 3036 PurpleMood.scr 3036 PurpleMood.scr 3024 PurpleMood.scr 3024 PurpleMood.scr 2568 PurpleMood.scr 2568 PurpleMood.scr 2732 PurpleMood.scr 2732 PurpleMood.scr 2588 PurpleMood.scr 2588 PurpleMood.scr 2712 PurpleMood.scr 2712 PurpleMood.scr 2632 PurpleMood.scr 2632 PurpleMood.scr 2464 PurpleMood.scr 2464 PurpleMood.scr 2636 PurpleMood.scr 2636 PurpleMood.scr 2436 PurpleMood.scr 2436 PurpleMood.scr 2704 PurpleMood.scr 2704 PurpleMood.scr 596 PurpleMood.scr 596 PurpleMood.scr 1736 PurpleMood.scr 1736 PurpleMood.scr 108 PurpleMood.scr 108 PurpleMood.scr 748 PurpleMood.scr 748 PurpleMood.scr 1624 PurpleMood.scr 1624 PurpleMood.scr 1740 PurpleMood.scr 1740 PurpleMood.scr 1784 PurpleMood.scr 1784 PurpleMood.scr 1644 PurpleMood.scr 1644 PurpleMood.scr 2508 PurpleMood.scr 2508 PurpleMood.scr 2428 PurpleMood.scr 2428 PurpleMood.scr 1004 PurpleMood.scr 1004 PurpleMood.scr 1668 PurpleMood.scr 1668 PurpleMood.scr 1684 PurpleMood.scr 1684 PurpleMood.scr -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 13392 2240 Process not Found 27 13416 2520 Process not Found 28 13440 1652 Process not Found 29 13448 400 Process not Found 30 13512 2888 Process not Found 31 13548 1588 Process not Found 34 13540 2988 Process not Found 32 13528 3048 Process not Found 33 13584 3036 Process not Found 35 13592 3024 Process not Found 36 13696 2588 Process not Found 39 13736 2732 Process not Found 38 13728 2712 Process not Found 40 13756 2464 Process not Found 42 13688 2568 Process not Found 37 13784 2632 Process not Found 41 13824 2636 Process not Found 43 13832 2704 Process not Found 45 13880 2436 Process not Found 44 13928 1736 Process not Found 47 13920 748 Process not Found 49 13896 596 Process not Found 46 13888 108 Process not Found 48 13976 1784 Process not Found 52 13968 1624 Process not Found 50 13936 1740 Process not Found 51 14036 1668 Process not Found 57 14020 2508 Process not Found 54 14068 2428 Process not Found 55 14060 1644 Process not Found 53 14052 2824 Process not Found 59 14044 1004 Process not Found 56 14120 2696 Process not Found 61 14128 2700 Process not Found 60 14136 1684 Process not Found 58 14144 2780 Process not Found 62 14152 2944 Process not Found 63 14216 2672 Process not Found 68 14208 2480 Process not Found 66 14200 2916 Process not Found 64 14232 2332 Process not Found 70 14268 2960 Process not Found 67 14260 2812 Process not Found 65 14304 636 Process not Found 74 14296 2064 Process not Found 72 14320 2540 Process not Found 71 14312 2792 Process not Found 69 13024 572 Process not Found 75 13476 1924 Process not Found 73 13580 1100 Process not Found 76 13568 352 Process not Found 77 13480 2104 Process not Found 78 14348 948 Process not Found 80 14400 1680 Process not Found 84 14432 1968 Process not Found 90 14424 1136 Process not Found 82 14416 1976 Process not Found 88 14408 2816 Process not Found 86 14444 1596 Process not Found 79 14492 1204 Process not Found 89 14480 2272 Process not Found 87 14468 1520 Process not Found 81 14460 784 Process not Found 85 14452 2340 Process not Found 83 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2520 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 28 PID 2240 wrote to memory of 2520 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 28 PID 2240 wrote to memory of 2520 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 28 PID 2240 wrote to memory of 2520 2240 e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe 28 PID 2520 wrote to memory of 1652 2520 PurpleMood.scr 29 PID 2520 wrote to memory of 1652 2520 PurpleMood.scr 29 PID 2520 wrote to memory of 1652 2520 PurpleMood.scr 29 PID 2520 wrote to memory of 1652 2520 PurpleMood.scr 29 PID 1652 wrote to memory of 400 1652 PurpleMood.scr 30 PID 1652 wrote to memory of 400 1652 PurpleMood.scr 30 PID 1652 wrote to memory of 400 1652 PurpleMood.scr 30 PID 1652 wrote to memory of 400 1652 PurpleMood.scr 30 PID 400 wrote to memory of 2888 400 PurpleMood.scr 31 PID 400 wrote to memory of 2888 400 PurpleMood.scr 31 PID 400 wrote to memory of 2888 400 PurpleMood.scr 31 PID 400 wrote to memory of 2888 400 PurpleMood.scr 31 PID 2888 wrote to memory of 2988 2888 PurpleMood.scr 32 PID 2888 wrote to memory of 2988 2888 PurpleMood.scr 32 PID 2888 wrote to memory of 2988 2888 PurpleMood.scr 32 PID 2888 wrote to memory of 2988 2888 PurpleMood.scr 32 PID 2988 wrote to memory of 3048 2988 PurpleMood.scr 33 PID 2988 wrote to memory of 3048 2988 PurpleMood.scr 33 PID 2988 wrote to memory of 3048 2988 PurpleMood.scr 33 PID 2988 wrote to memory of 3048 2988 PurpleMood.scr 33 PID 3048 wrote to memory of 1588 3048 PurpleMood.scr 34 PID 3048 wrote to memory of 1588 3048 PurpleMood.scr 34 PID 3048 wrote to memory of 1588 3048 PurpleMood.scr 34 PID 3048 wrote to memory of 1588 3048 PurpleMood.scr 34 PID 1588 wrote to memory of 3036 1588 PurpleMood.scr 35 PID 1588 wrote to memory of 3036 1588 PurpleMood.scr 35 PID 1588 wrote to memory of 3036 1588 PurpleMood.scr 35 PID 1588 wrote to memory of 3036 1588 PurpleMood.scr 35 PID 3036 wrote to memory of 3024 3036 PurpleMood.scr 36 PID 3036 wrote to memory of 3024 3036 PurpleMood.scr 36 PID 3036 wrote to memory of 3024 3036 PurpleMood.scr 36 PID 3036 wrote to memory of 3024 3036 PurpleMood.scr 36 PID 3024 wrote to memory of 2568 3024 PurpleMood.scr 37 PID 3024 wrote to memory of 2568 3024 PurpleMood.scr 37 PID 3024 wrote to memory of 2568 3024 PurpleMood.scr 37 PID 3024 wrote to memory of 2568 3024 PurpleMood.scr 37 PID 2568 wrote to memory of 2732 2568 PurpleMood.scr 38 PID 2568 wrote to memory of 2732 2568 PurpleMood.scr 38 PID 2568 wrote to memory of 2732 2568 PurpleMood.scr 38 PID 2568 wrote to memory of 2732 2568 PurpleMood.scr 38 PID 2732 wrote to memory of 2588 2732 PurpleMood.scr 39 PID 2732 wrote to memory of 2588 2732 PurpleMood.scr 39 PID 2732 wrote to memory of 2588 2732 PurpleMood.scr 39 PID 2732 wrote to memory of 2588 2732 PurpleMood.scr 39 PID 2588 wrote to memory of 2712 2588 PurpleMood.scr 40 PID 2588 wrote to memory of 2712 2588 PurpleMood.scr 40 PID 2588 wrote to memory of 2712 2588 PurpleMood.scr 40 PID 2588 wrote to memory of 2712 2588 PurpleMood.scr 40 PID 2712 wrote to memory of 2632 2712 PurpleMood.scr 41 PID 2712 wrote to memory of 2632 2712 PurpleMood.scr 41 PID 2712 wrote to memory of 2632 2712 PurpleMood.scr 41 PID 2712 wrote to memory of 2632 2712 PurpleMood.scr 41 PID 2632 wrote to memory of 2464 2632 PurpleMood.scr 42 PID 2632 wrote to memory of 2464 2632 PurpleMood.scr 42 PID 2632 wrote to memory of 2464 2632 PurpleMood.scr 42 PID 2632 wrote to memory of 2464 2632 PurpleMood.scr 42 PID 2464 wrote to memory of 2636 2464 PurpleMood.scr 43 PID 2464 wrote to memory of 2636 2464 PurpleMood.scr 43 PID 2464 wrote to memory of 2636 2464 PurpleMood.scr 43 PID 2464 wrote to memory of 2636 2464 PurpleMood.scr 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe"C:\Users\Admin\AppData\Local\Temp\e4614e9e9ef94bfd5c2612fbb22ec04ff39265f28746fe173eb3621de6e01251.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵PID:1268
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:2304
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:556
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵PID:1932
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵PID:612
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵PID:2092
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵PID:2220
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:2372
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵PID:2188
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵PID:1864
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:2172
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵PID:320
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:1672
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵PID:2852
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵PID:756
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵PID:328
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵PID:2244
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:1936
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵PID:1492
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵PID:1504
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵PID:2256
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:1512
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵PID:2840
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵PID:1920
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:3040
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:2908
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵PID:2912
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:772
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵PID:2992
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:3068
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵PID:1532
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:2836
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵PID:2744
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:2292
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:2132
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:2668
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵PID:2548
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵PID:2296
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵PID:2448
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵PID:2716
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:2736
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵PID:2468
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:2576
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵PID:2496
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵PID:2708
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:2456
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:2516
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵PID:2560
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:860
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵PID:852
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-