Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 16:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b745d538cbc341804374d106e581d7a0N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
b745d538cbc341804374d106e581d7a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
120 seconds
General
-
Target
b745d538cbc341804374d106e581d7a0N.exe
-
Size
7KB
-
MD5
b745d538cbc341804374d106e581d7a0
-
SHA1
63434b936f437a70444e3f23131a618b9343d5a3
-
SHA256
905d1e0162c2e67cff1b46b72b401575155afbafd96d900ac8fc15c24764d51f
-
SHA512
6d4153cdc3887af588d67ba92b92c9d8e95f933e4b96636f347c3d8042196ad8aa8e2624926337e3f72ebdb0450d3d6eb715057db61a14a878b3612c353c5a06
-
SSDEEP
96:wr5N2tdaQIBUKcIWwH1coKdxz8baaQiQC1+a9c8:wodneUeWwV3KItQiQkXJ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2924 PurpleMood.scr 2276 PurpleMood.scr 2116 PurpleMood.scr 2392 PurpleMood.scr 2280 PurpleMood.scr 2820 PurpleMood.scr 2844 PurpleMood.scr 2736 PurpleMood.scr 2936 PurpleMood.scr 2832 PurpleMood.scr 2112 PurpleMood.scr 2756 PurpleMood.scr 2644 PurpleMood.scr 2600 PurpleMood.scr 2760 PurpleMood.scr 2412 PurpleMood.scr 3028 PurpleMood.scr 1516 PurpleMood.scr 2196 PurpleMood.scr 1352 PurpleMood.scr 2088 PurpleMood.scr 1984 PurpleMood.scr 2528 PurpleMood.scr 3032 PurpleMood.scr 2020 PurpleMood.scr 1172 PurpleMood.scr 2388 PurpleMood.scr 2408 PurpleMood.scr 2096 PurpleMood.scr 1300 PurpleMood.scr 2028 PurpleMood.scr 1764 PurpleMood.scr 2960 PurpleMood.scr 2956 PurpleMood.scr 1640 PurpleMood.scr 2548 PurpleMood.scr 2220 PurpleMood.scr 1012 PurpleMood.scr 2260 PurpleMood.scr 2240 PurpleMood.scr 2272 PurpleMood.scr 1192 PurpleMood.scr 2948 PurpleMood.scr 2104 PurpleMood.scr 968 PurpleMood.scr 1136 PurpleMood.scr 2496 PurpleMood.scr 1448 PurpleMood.scr 2460 PurpleMood.scr 1520 PurpleMood.scr 944 PurpleMood.scr 1696 PurpleMood.scr 2440 PurpleMood.scr 1596 PurpleMood.scr 1976 PurpleMood.scr 1724 PurpleMood.scr 2920 PurpleMood.scr 1536 PurpleMood.scr 584 PurpleMood.scr 2400 PurpleMood.scr 2972 PurpleMood.scr 1008 PurpleMood.scr 1760 PurpleMood.scr 2052 PurpleMood.scr -
Loads dropped DLL 64 IoCs
pid Process 1088 b745d538cbc341804374d106e581d7a0N.exe 1088 b745d538cbc341804374d106e581d7a0N.exe 2924 PurpleMood.scr 2924 PurpleMood.scr 2276 PurpleMood.scr 2276 PurpleMood.scr 2116 PurpleMood.scr 2116 PurpleMood.scr 2392 PurpleMood.scr 2392 PurpleMood.scr 2280 PurpleMood.scr 2280 PurpleMood.scr 2820 PurpleMood.scr 2820 PurpleMood.scr 2844 PurpleMood.scr 2844 PurpleMood.scr 2736 PurpleMood.scr 2736 PurpleMood.scr 2936 PurpleMood.scr 2936 PurpleMood.scr 2832 PurpleMood.scr 2832 PurpleMood.scr 2112 PurpleMood.scr 2112 PurpleMood.scr 2756 PurpleMood.scr 2756 PurpleMood.scr 2644 PurpleMood.scr 2644 PurpleMood.scr 2600 PurpleMood.scr 2600 PurpleMood.scr 2760 PurpleMood.scr 2760 PurpleMood.scr 2412 PurpleMood.scr 2412 PurpleMood.scr 3028 PurpleMood.scr 3028 PurpleMood.scr 1516 PurpleMood.scr 1516 PurpleMood.scr 2196 PurpleMood.scr 2196 PurpleMood.scr 1352 PurpleMood.scr 1352 PurpleMood.scr 2088 PurpleMood.scr 2088 PurpleMood.scr 1984 PurpleMood.scr 1984 PurpleMood.scr 2528 PurpleMood.scr 2528 PurpleMood.scr 3032 PurpleMood.scr 3032 PurpleMood.scr 2020 PurpleMood.scr 2020 PurpleMood.scr 1172 PurpleMood.scr 1172 PurpleMood.scr 2388 PurpleMood.scr 2388 PurpleMood.scr 2408 PurpleMood.scr 2408 PurpleMood.scr 2096 PurpleMood.scr 2096 PurpleMood.scr 1300 PurpleMood.scr 1300 PurpleMood.scr 2028 PurpleMood.scr 2028 PurpleMood.scr -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr Process not Found File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 6800 1088 WerFault.exe 28 6816 2924 WerFault.exe 29 6872 2276 WerFault.exe 30 6908 2116 WerFault.exe 31 6952 2392 WerFault.exe 32 6984 2280 WerFault.exe 33 7024 2820 WerFault.exe 34 7072 2844 WerFault.exe 35 7080 2736 WerFault.exe 36 7128 2936 WerFault.exe 37 7216 2644 WerFault.exe 41 7200 2112 WerFault.exe 39 7172 2756 WerFault.exe 40 2536 2832 WerFault.exe 38 7240 2600 WerFault.exe 42 7280 2760 WerFault.exe 43 7392 1516 WerFault.exe 46 7360 3028 WerFault.exe 45 7304 2412 WerFault.exe 44 7452 2196 WerFault.exe 47 7504 2088 WerFault.exe 49 7460 1984 WerFault.exe 50 7424 1352 WerFault.exe 48 7516 3032 WerFault.exe 52 7564 2528 WerFault.exe 51 7596 2020 WerFault.exe 53 7644 1172 WerFault.exe 54 7652 2388 WerFault.exe 55 7660 2408 WerFault.exe 56 7676 2096 WerFault.exe 57 7700 1300 WerFault.exe 58 7736 2028 WerFault.exe 59 7716 1764 WerFault.exe 60 7768 2956 WerFault.exe 62 7760 2960 WerFault.exe 61 7792 1640 WerFault.exe 63 7824 2548 WerFault.exe 64 7852 2220 WerFault.exe 65 7892 1012 WerFault.exe 66 7904 2260 WerFault.exe 67 7928 2240 WerFault.exe 68 7912 2272 WerFault.exe 69 7936 1192 WerFault.exe 70 7944 2948 WerFault.exe 71 7952 968 WerFault.exe 73 7964 2104 WerFault.exe 72 7976 1136 WerFault.exe 74 8008 2496 WerFault.exe 75 8084 1448 WerFault.exe 76 8100 2460 WerFault.exe 77 8108 1520 WerFault.exe 78 8124 944 WerFault.exe 79 8180 1696 WerFault.exe 80 8188 1596 WerFault.exe 82 7188 2440 WerFault.exe 81 7296 1976 WerFault.exe 83 7356 2920 WerFault.exe 85 7512 1724 WerFault.exe 84 7724 1536 WerFault.exe 86 8000 584 WerFault.exe 87 7876 2972 WerFault.exe 89 7524 2400 WerFault.exe 88 8024 1008 WerFault.exe 90 8200 1760 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2924 1088 b745d538cbc341804374d106e581d7a0N.exe 29 PID 1088 wrote to memory of 2924 1088 b745d538cbc341804374d106e581d7a0N.exe 29 PID 1088 wrote to memory of 2924 1088 b745d538cbc341804374d106e581d7a0N.exe 29 PID 1088 wrote to memory of 2924 1088 b745d538cbc341804374d106e581d7a0N.exe 29 PID 2924 wrote to memory of 2276 2924 PurpleMood.scr 30 PID 2924 wrote to memory of 2276 2924 PurpleMood.scr 30 PID 2924 wrote to memory of 2276 2924 PurpleMood.scr 30 PID 2924 wrote to memory of 2276 2924 PurpleMood.scr 30 PID 2276 wrote to memory of 2116 2276 PurpleMood.scr 31 PID 2276 wrote to memory of 2116 2276 PurpleMood.scr 31 PID 2276 wrote to memory of 2116 2276 PurpleMood.scr 31 PID 2276 wrote to memory of 2116 2276 PurpleMood.scr 31 PID 2116 wrote to memory of 2392 2116 PurpleMood.scr 32 PID 2116 wrote to memory of 2392 2116 PurpleMood.scr 32 PID 2116 wrote to memory of 2392 2116 PurpleMood.scr 32 PID 2116 wrote to memory of 2392 2116 PurpleMood.scr 32 PID 2392 wrote to memory of 2280 2392 PurpleMood.scr 33 PID 2392 wrote to memory of 2280 2392 PurpleMood.scr 33 PID 2392 wrote to memory of 2280 2392 PurpleMood.scr 33 PID 2392 wrote to memory of 2280 2392 PurpleMood.scr 33 PID 2280 wrote to memory of 2820 2280 PurpleMood.scr 34 PID 2280 wrote to memory of 2820 2280 PurpleMood.scr 34 PID 2280 wrote to memory of 2820 2280 PurpleMood.scr 34 PID 2280 wrote to memory of 2820 2280 PurpleMood.scr 34 PID 2820 wrote to memory of 2844 2820 PurpleMood.scr 35 PID 2820 wrote to memory of 2844 2820 PurpleMood.scr 35 PID 2820 wrote to memory of 2844 2820 PurpleMood.scr 35 PID 2820 wrote to memory of 2844 2820 PurpleMood.scr 35 PID 2844 wrote to memory of 2736 2844 PurpleMood.scr 36 PID 2844 wrote to memory of 2736 2844 PurpleMood.scr 36 PID 2844 wrote to memory of 2736 2844 PurpleMood.scr 36 PID 2844 wrote to memory of 2736 2844 PurpleMood.scr 36 PID 2736 wrote to memory of 2936 2736 PurpleMood.scr 37 PID 2736 wrote to memory of 2936 2736 PurpleMood.scr 37 PID 2736 wrote to memory of 2936 2736 PurpleMood.scr 37 PID 2736 wrote to memory of 2936 2736 PurpleMood.scr 37 PID 2936 wrote to memory of 2832 2936 PurpleMood.scr 38 PID 2936 wrote to memory of 2832 2936 PurpleMood.scr 38 PID 2936 wrote to memory of 2832 2936 PurpleMood.scr 38 PID 2936 wrote to memory of 2832 2936 PurpleMood.scr 38 PID 2832 wrote to memory of 2112 2832 PurpleMood.scr 39 PID 2832 wrote to memory of 2112 2832 PurpleMood.scr 39 PID 2832 wrote to memory of 2112 2832 PurpleMood.scr 39 PID 2832 wrote to memory of 2112 2832 PurpleMood.scr 39 PID 2112 wrote to memory of 2756 2112 PurpleMood.scr 40 PID 2112 wrote to memory of 2756 2112 PurpleMood.scr 40 PID 2112 wrote to memory of 2756 2112 PurpleMood.scr 40 PID 2112 wrote to memory of 2756 2112 PurpleMood.scr 40 PID 2756 wrote to memory of 2644 2756 PurpleMood.scr 41 PID 2756 wrote to memory of 2644 2756 PurpleMood.scr 41 PID 2756 wrote to memory of 2644 2756 PurpleMood.scr 41 PID 2756 wrote to memory of 2644 2756 PurpleMood.scr 41 PID 2644 wrote to memory of 2600 2644 PurpleMood.scr 42 PID 2644 wrote to memory of 2600 2644 PurpleMood.scr 42 PID 2644 wrote to memory of 2600 2644 PurpleMood.scr 42 PID 2644 wrote to memory of 2600 2644 PurpleMood.scr 42 PID 2600 wrote to memory of 2760 2600 PurpleMood.scr 43 PID 2600 wrote to memory of 2760 2600 PurpleMood.scr 43 PID 2600 wrote to memory of 2760 2600 PurpleMood.scr 43 PID 2600 wrote to memory of 2760 2600 PurpleMood.scr 43 PID 2760 wrote to memory of 2412 2760 PurpleMood.scr 44 PID 2760 wrote to memory of 2412 2760 PurpleMood.scr 44 PID 2760 wrote to memory of 2412 2760 PurpleMood.scr 44 PID 2760 wrote to memory of 2412 2760 PurpleMood.scr 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b745d538cbc341804374d106e581d7a0N.exe"C:\Users\Admin\AppData\Local\Temp\b745d538cbc341804374d106e581d7a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵PID:2532
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:2564
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:2348
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵PID:2512
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵PID:1368
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵PID:2324
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:1576
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵PID:1944
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵PID:1708
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:2928
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵PID:1744
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵PID:1748
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:1584
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵PID:1720
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵PID:2204
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵PID:2236
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:3060
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵PID:1668
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵PID:1628
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵PID:2696
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:2808
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵PID:2868
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵PID:2744
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:2724
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:2884
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵PID:2624
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:2896
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵PID:2864
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:1704
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵PID:2764
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:2852
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵PID:2592
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:2648
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:1204
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵PID:3020
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵PID:3016
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:3024
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵PID:2572
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵PID:2840
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵PID:2312
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵PID:2056
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:1096
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵PID:2188
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:1740
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵PID:1816
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:976
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:1840
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:2968
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵PID:1320
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-