Overview
overview
10Static
static
10virussign....b0.exe
windows7-x64
10virussign....b0.exe
windows10-2004-x64
10virussign....60.exe
windows7-x64
7virussign....60.exe
windows10-2004-x64
7virussign....40.exe
windows7-x64
7virussign....40.exe
windows10-2004-x64
7virussign....e0.exe
windows7-x64
7virussign....e0.exe
windows10-2004-x64
7virussign....00.exe
windows7-x64
10virussign....00.exe
windows10-2004-x64
10virussign....90.exe
windows7-x64
7virussign....90.exe
windows10-2004-x64
7virussign....40.exe
windows7-x64
7virussign....40.exe
windows10-2004-x64
7virussign....10.exe
windows7-x64
5virussign....10.exe
windows10-2004-x64
5virussign....60.exe
windows7-x64
7virussign....60.exe
windows10-2004-x64
7virussign....c0.exe
windows7-x64
10virussign....c0.exe
windows10-2004-x64
10virussign....d0.exe
windows7-x64
7virussign....d0.exe
windows10-2004-x64
7virussign....b0.exe
windows7-x64
10virussign....b0.exe
windows10-2004-x64
10virussign....10.exe
windows7-x64
7virussign....10.exe
windows10-2004-x64
7virussign....e0.exe
windows7-x64
7virussign....e0.exe
windows10-2004-x64
7virussign....20.exe
windows7-x64
7virussign....20.exe
windows10-2004-x64
7virussign....c0.exe
windows7-x64
7virussign....c0.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 17:08
Behavioral task
behavioral1
Sample
virussign.com_b1d2087d1d88f80870106373da2011b0.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_b1d2087d1d88f80870106373da2011b0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral3
Sample
virussign.com_b4a073dab1d51b27d63f81649310ab60.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral4
Sample
virussign.com_b4a073dab1d51b27d63f81649310ab60.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral5
Sample
virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral6
Sample
virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral7
Sample
virussign.com_ba1f70e629bc3e70fba35036be583ce0.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral8
Sample
virussign.com_ba1f70e629bc3e70fba35036be583ce0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral9
Sample
virussign.com_bcab6f30045483fd648d1924aba88b00.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral10
Sample
virussign.com_bcab6f30045483fd648d1924aba88b00.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral11
Sample
virussign.com_bf4239be7de1ad8dddc78d1aff0d6090.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
virussign.com_bf4239be7de1ad8dddc78d1aff0d6090.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral13
Sample
virussign.com_c251643a9964695966b3f7a545401440.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral14
Sample
virussign.com_c251643a9964695966b3f7a545401440.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral15
Sample
virussign.com_c3fa4d199e50171575cfa553fd205a10.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral16
Sample
virussign.com_c3fa4d199e50171575cfa553fd205a10.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral17
Sample
virussign.com_c527d92958bc1247a6471765e5449c60.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral18
Sample
virussign.com_c527d92958bc1247a6471765e5449c60.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral19
Sample
virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral20
Sample
virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral21
Sample
virussign.com_ca6b0e41f6273b8c6a022729b7a7efd0.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral22
Sample
virussign.com_ca6b0e41f6273b8c6a022729b7a7efd0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
virussign.com_ccf2dfc7e36c604f207bf823231b57b0.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral24
Sample
virussign.com_ccf2dfc7e36c604f207bf823231b57b0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral25
Sample
virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral27
Sample
virussign.com_d2157a5e0405795aa865f9264e231ee0.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral28
Sample
virussign.com_d2157a5e0405795aa865f9264e231ee0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral29
Sample
virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral30
Sample
virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral31
Sample
virussign.com_d7c1eea17ae01e04b622ede80b6732c0.exe
Resource
win7-20241023-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral32
Sample
virussign.com_d7c1eea17ae01e04b622ede80b6732c0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
-
Size
7KB
-
MD5
cf449b9fd99f5da93cbb91c84e64e710
-
SHA1
3cdef0031a939b31cb4b9a6ad1bf9ca88a155751
-
SHA256
087300bc42aa885c126aa1771a2f80691399efae7543a8f493f5059548163957
-
SHA512
24bbe2217b79f6e920d75ca986bce35c9daad0558205324f6470292629ac3431a2f2f0a85567bd87d022ac00625dac1d2e46e004fd2a8e9e4403e3e53073705f
-
SSDEEP
96:Ge32tdsBxRlRIWb9pXc1eG6PcGma1JIwIdzwzc:GjdsXyWb9pkeG7yJIwczw
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4680 PurpleMood.scr 3316 PurpleMood.scr 4840 PurpleMood.scr 3400 PurpleMood.scr 2264 PurpleMood.scr 2288 PurpleMood.scr 2200 PurpleMood.scr 2696 PurpleMood.scr 2976 PurpleMood.scr 2228 PurpleMood.scr 2224 PurpleMood.scr 1992 PurpleMood.scr 4520 PurpleMood.scr 388 PurpleMood.scr 4424 PurpleMood.scr 3180 PurpleMood.scr 2280 PurpleMood.scr 4992 PurpleMood.scr 3908 PurpleMood.scr 2504 PurpleMood.scr 3464 PurpleMood.scr 2916 PurpleMood.scr 2624 PurpleMood.scr 1868 PurpleMood.scr 1580 PurpleMood.scr 1448 PurpleMood.scr 532 PurpleMood.scr 1632 PurpleMood.scr 1416 PurpleMood.scr 4852 PurpleMood.scr 2156 PurpleMood.scr 3012 PurpleMood.scr 1692 PurpleMood.scr 4088 PurpleMood.scr 4224 PurpleMood.scr 1344 PurpleMood.scr 4160 PurpleMood.scr 2888 PurpleMood.scr 2568 PurpleMood.scr 3264 PurpleMood.scr 4156 PurpleMood.scr 3452 PurpleMood.scr 3976 PurpleMood.scr 644 PurpleMood.scr 1016 PurpleMood.scr 4904 PurpleMood.scr 1936 PurpleMood.scr 4144 PurpleMood.scr 600 PurpleMood.scr 4184 PurpleMood.scr 1548 PurpleMood.scr 5080 PurpleMood.scr 2384 PurpleMood.scr 2708 PurpleMood.scr 2064 PurpleMood.scr 4572 PurpleMood.scr 4100 PurpleMood.scr 3888 PurpleMood.scr 5108 PurpleMood.scr 2404 PurpleMood.scr 3912 PurpleMood.scr 3964 PurpleMood.scr 4004 PurpleMood.scr 4000 PurpleMood.scr -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr File created C:\Windows\SysWOW64\PurpleMood.scr PurpleMood.scr -
Program crash 64 IoCs
pid pid_target Process procid_target 27336 3316 Process not Found 85 27476 2264 Process not Found 88 27448 3400 Process not Found 87 27528 864 Process not Found 82 116 2504 Process not Found 103 25836 2624 Process not Found 106 25788 3908 Process not Found 102 2692 2916 Process not Found 105 4152 4100 Process not Found 140 2552 4000 Process not Found 148 2340 3964 Process not Found 145 1160 1132 Process not Found 159 5780 5560 Process not Found 204 2892 5924 Process not Found 221 27384 6028 Process not Found 226 5556 6068 Process not Found 228 6916 6864 Process not Found 279 6784 7472 Process not Found 324 3688 7020 Process not Found 308 7244 6272 Process not Found 296 5908 7976 Process not Found 349 3908 7956 Process not Found 348 6508 8964 Process not Found 411 10384 9692 Process not Found 493 8320 10236 Process not Found 492 6684 11456 Process not Found 568 11256 11812 Process not Found 586 9768 12996 Process not Found 663 7968 15660 Process not Found 833 9580 15644 Process not Found 832 13676 15788 Process not Found 841 7644 17272 Process not Found 934 10560 15000 Process not Found 792 7720 19672 Process not Found 1084 6980 20204 Process not Found 1117 15756 20896 Process not Found 1160 17108 22016 Process not Found 1230 4612 24264 Process not Found 1370 16212 24616 Process not Found 1392 19200 25212 Process not Found 1429 5500 25772 Process not Found 1464 17012 26424 Process not Found 1501 9072 26488 Process not Found 1505 4912 27084 Process not Found 1542 11468 26860 Process not Found 1531 4008 27372 Process not Found 1580 13928 27360 Process not Found 1581 11960 2976 Process not Found 1585 21308 27600 Process not Found 1586 19772 27200 Process not Found 1606 12868 4164 Process not Found 1609 10900 376 Process not Found 1613 11008 27548 Process not Found 1616 15284 1984 Process not Found 1627 21868 4364 Process not Found 1638 21880 432 Process not Found 1640 21932 27512 Process not Found 1645 19196 3612 Process not Found 1647 10292 4984 Process not Found 1683 15456 4828 Process not Found 1670 5128 3776 Process not Found 1678 22092 4636 Process not Found 1688 22300 464 Process not Found 1713 4268 4172 Process not Found 1717 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PurpleMood.scr -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 4680 864 virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe 84 PID 864 wrote to memory of 4680 864 virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe 84 PID 864 wrote to memory of 4680 864 virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe 84 PID 4680 wrote to memory of 3316 4680 PurpleMood.scr 85 PID 4680 wrote to memory of 3316 4680 PurpleMood.scr 85 PID 4680 wrote to memory of 3316 4680 PurpleMood.scr 85 PID 3316 wrote to memory of 4840 3316 PurpleMood.scr 86 PID 3316 wrote to memory of 4840 3316 PurpleMood.scr 86 PID 3316 wrote to memory of 4840 3316 PurpleMood.scr 86 PID 4840 wrote to memory of 3400 4840 PurpleMood.scr 87 PID 4840 wrote to memory of 3400 4840 PurpleMood.scr 87 PID 4840 wrote to memory of 3400 4840 PurpleMood.scr 87 PID 3400 wrote to memory of 2264 3400 PurpleMood.scr 88 PID 3400 wrote to memory of 2264 3400 PurpleMood.scr 88 PID 3400 wrote to memory of 2264 3400 PurpleMood.scr 88 PID 2264 wrote to memory of 2288 2264 PurpleMood.scr 89 PID 2264 wrote to memory of 2288 2264 PurpleMood.scr 89 PID 2264 wrote to memory of 2288 2264 PurpleMood.scr 89 PID 2288 wrote to memory of 2200 2288 PurpleMood.scr 90 PID 2288 wrote to memory of 2200 2288 PurpleMood.scr 90 PID 2288 wrote to memory of 2200 2288 PurpleMood.scr 90 PID 2200 wrote to memory of 2696 2200 PurpleMood.scr 91 PID 2200 wrote to memory of 2696 2200 PurpleMood.scr 91 PID 2200 wrote to memory of 2696 2200 PurpleMood.scr 91 PID 2696 wrote to memory of 2976 2696 PurpleMood.scr 92 PID 2696 wrote to memory of 2976 2696 PurpleMood.scr 92 PID 2696 wrote to memory of 2976 2696 PurpleMood.scr 92 PID 2976 wrote to memory of 2228 2976 PurpleMood.scr 93 PID 2976 wrote to memory of 2228 2976 PurpleMood.scr 93 PID 2976 wrote to memory of 2228 2976 PurpleMood.scr 93 PID 2228 wrote to memory of 2224 2228 PurpleMood.scr 94 PID 2228 wrote to memory of 2224 2228 PurpleMood.scr 94 PID 2228 wrote to memory of 2224 2228 PurpleMood.scr 94 PID 2224 wrote to memory of 1992 2224 PurpleMood.scr 95 PID 2224 wrote to memory of 1992 2224 PurpleMood.scr 95 PID 2224 wrote to memory of 1992 2224 PurpleMood.scr 95 PID 1992 wrote to memory of 4520 1992 PurpleMood.scr 96 PID 1992 wrote to memory of 4520 1992 PurpleMood.scr 96 PID 1992 wrote to memory of 4520 1992 PurpleMood.scr 96 PID 4520 wrote to memory of 388 4520 PurpleMood.scr 97 PID 4520 wrote to memory of 388 4520 PurpleMood.scr 97 PID 4520 wrote to memory of 388 4520 PurpleMood.scr 97 PID 388 wrote to memory of 4424 388 PurpleMood.scr 98 PID 388 wrote to memory of 4424 388 PurpleMood.scr 98 PID 388 wrote to memory of 4424 388 PurpleMood.scr 98 PID 4424 wrote to memory of 3180 4424 PurpleMood.scr 99 PID 4424 wrote to memory of 3180 4424 PurpleMood.scr 99 PID 4424 wrote to memory of 3180 4424 PurpleMood.scr 99 PID 3180 wrote to memory of 2280 3180 PurpleMood.scr 100 PID 3180 wrote to memory of 2280 3180 PurpleMood.scr 100 PID 3180 wrote to memory of 2280 3180 PurpleMood.scr 100 PID 2280 wrote to memory of 4992 2280 PurpleMood.scr 101 PID 2280 wrote to memory of 4992 2280 PurpleMood.scr 101 PID 2280 wrote to memory of 4992 2280 PurpleMood.scr 101 PID 4992 wrote to memory of 3908 4992 PurpleMood.scr 102 PID 4992 wrote to memory of 3908 4992 PurpleMood.scr 102 PID 4992 wrote to memory of 3908 4992 PurpleMood.scr 102 PID 3908 wrote to memory of 2504 3908 PurpleMood.scr 103 PID 3908 wrote to memory of 2504 3908 PurpleMood.scr 103 PID 3908 wrote to memory of 2504 3908 PurpleMood.scr 103 PID 2504 wrote to memory of 3464 2504 PurpleMood.scr 104 PID 2504 wrote to memory of 3464 2504 PurpleMood.scr 104 PID 2504 wrote to memory of 3464 2504 PurpleMood.scr 104 PID 3464 wrote to memory of 2916 3464 PurpleMood.scr 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr23⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr24⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr25⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr26⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr28⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr29⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr31⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr32⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr33⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr34⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr35⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr37⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr38⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr42⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr45⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr47⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr48⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr51⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr52⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr54⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr57⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr60⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr61⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr62⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr63⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr65⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr66⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr67⤵PID:3056
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr68⤵PID:4952
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr69⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr70⤵
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr71⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr72⤵PID:2620
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr73⤵PID:4960
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr74⤵
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr75⤵PID:1132
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr76⤵PID:4948
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr77⤵PID:2352
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr78⤵PID:4148
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr79⤵PID:2884
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr80⤵PID:4220
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr81⤵PID:1660
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr82⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr83⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr84⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr85⤵PID:2144
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr86⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr87⤵PID:2760
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr88⤵
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr89⤵PID:4624
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr90⤵
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr91⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr92⤵PID:3896
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr93⤵PID:4700
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr94⤵PID:4668
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr95⤵PID:4324
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr96⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr97⤵PID:2320
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr98⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr99⤵PID:3592
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr100⤵PID:2032
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr101⤵PID:2740
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr102⤵PID:2396
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr103⤵PID:3708
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr104⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr105⤵PID:5180
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr106⤵PID:5228
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr107⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr108⤵
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr110⤵PID:5316
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr111⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr112⤵
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr113⤵PID:5420
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr114⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr115⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr116⤵PID:5516
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr117⤵PID:5536
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr118⤵PID:5560
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr119⤵PID:5576
-
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr120⤵
- Drops file in System32 directory
PID:5596 -
C:\Windows\SysWOW64\PurpleMood.scrC:\Windows\system32\PurpleMood.scr121⤵PID:5628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-