6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe
Size

7KB
MD5

61583aa3d30ee95e15acee5ddf778ba7
SHA1

18988b167117d3410384a0b2b541cc2494794dd1
SHA256

6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062
SHA512

9ef3e5c601911b20a44785ea0a4b5725e01c081d60d49142c1d2bee6c95104843eeed8c558af43d86463960cd07afa541a58351b263fc1f4d68b13edfd7dfff6
SSDEEP

96:G632tdsBx3wIWTR1eG6PuXa1JIwj7deiDOK:GPdsXTWTPeGhmJIwtei

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
5040	PurpleMood.scr
2620	PurpleMood.scr
2380	PurpleMood.scr
2312	PurpleMood.scr
968	PurpleMood.scr
1536	PurpleMood.scr
332	PurpleMood.scr
4892	PurpleMood.scr
2672	PurpleMood.scr
4860	PurpleMood.scr
5024	PurpleMood.scr
2736	PurpleMood.scr
2220	PurpleMood.scr
3064	PurpleMood.scr
2892	PurpleMood.scr
2724	PurpleMood.scr
3604	PurpleMood.scr
3540	PurpleMood.scr
2488	PurpleMood.scr
2344	PurpleMood.scr
2364	PurpleMood.scr
3544	PurpleMood.scr
3016	PurpleMood.scr
5116	PurpleMood.scr
2116	PurpleMood.scr
4260	PurpleMood.scr
3176	PurpleMood.scr
4680	PurpleMood.scr
2636	PurpleMood.scr
220	PurpleMood.scr
4328	PurpleMood.scr
5108	PurpleMood.scr
2700	PurpleMood.scr
2244	PurpleMood.scr
4356	PurpleMood.scr
4848	PurpleMood.scr
4648	PurpleMood.scr
2008	PurpleMood.scr
4152	PurpleMood.scr
4204	PurpleMood.scr
3968	PurpleMood.scr
1868	PurpleMood.scr
3052	PurpleMood.scr
3716	PurpleMood.scr
2472	PurpleMood.scr
4696	PurpleMood.scr
2256	PurpleMood.scr
4288	PurpleMood.scr
3272	PurpleMood.scr
4284	PurpleMood.scr
1960	PurpleMood.scr
4984	PurpleMood.scr
2676	PurpleMood.scr
4856	PurpleMood.scr
3892	PurpleMood.scr
932	PurpleMood.scr
4492	PurpleMood.scr
4172	PurpleMood.scr
1612	PurpleMood.scr
4336	PurpleMood.scr
4664	PurpleMood.scr
2996	PurpleMood.scr
3768	PurpleMood.scr
4028	PurpleMood.scr

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found

Program crash 63 IoCs

pid	pid_target	Process	procid_target
5052	5088	WerFault.exe	81
3024	5040	WerFault.exe	82
14720	332	WerFault.exe	186
4388	2380	WerFault.exe	190
2404	3892	WerFault.exe	93
2240	3768	WerFault.exe	143
4152	1376	WerFault.exe	96
2776	4664	WerFault.exe	144
27328	5928	Process not Found	223
27128	5356	Process not Found	192
27068	5392	Process not Found	194
27048	1456	Process not Found	114
15392	11928	Process not Found	614
15544	10508	Process not Found	532
17176	5032	Process not Found	1106
20088	20416	Process not Found	1361
16128	20504	Process not Found	1364
20148	20600	Process not Found	1370
21624	22100	Process not Found	1462
21928	22624	Process not Found	1496
21112	23312	Process not Found	1537
19988	23296	Process not Found	1536
22424	24588	Process not Found	1623
24852	6204	Process not Found	2043
21236	27104	Process not Found	2022
4712	6812	Process not Found	2023
15632	10308	Process not Found	2724
15488	16576	Process not Found	3084
27408	18224	Process not Found	3087
15412	18260	Process not Found	3117
4784	18272	Process not Found	3200
2236	18940	Process not Found	3258
9716	11852	Process not Found	3256
15400	5024	Process not Found	3283
13780	1940	Process not Found	3295
12856	19032	Process not Found	3313
6820	19740	Process not Found	3321
17880	17192	Process not Found	3328
17540	21092	Process not Found	3343
7220	20240	Process not Found	3411
6980	19524	Process not Found	3357
18868	21944	Process not Found	3425
12392	19880	Process not Found	3436
26600	22484	Process not Found	3452
6656	22696	Process not Found	3465
19104	20848	Process not Found	3478
2196	16476	Process not Found	3512
13948	3900	Process not Found	3531
10424	16468	Process not Found	3603
17720	21920	Process not Found	3542
19996	21524	Process not Found	3563
4332	18752	Process not Found	3671
3892	22816	Process not Found	3749
20140	16684	Process not Found	3732
11152	20384	Process not Found	3745
20196	24688	Process not Found	3905
9688	23808	Process not Found	3930
19096	16628	Process not Found	3989
5896	20128	Process not Found	4691
5380	13308	Process not Found	5204
19156	18300	Process not Found	5207
14756	4508	Process not Found	5783
16208	27456	Process not Found	5788

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 5040	5088	6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe	82
PID 5088 wrote to memory of 5040	5088	6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe	82
PID 5088 wrote to memory of 5040	5088	6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe	82
PID 5040 wrote to memory of 2620	5040	PurpleMood.scr	191
PID 5040 wrote to memory of 2620	5040	PurpleMood.scr	191
PID 5040 wrote to memory of 2620	5040	PurpleMood.scr	191
PID 2620 wrote to memory of 2380	2620	PurpleMood.scr	190
PID 2620 wrote to memory of 2380	2620	PurpleMood.scr	190
PID 2620 wrote to memory of 2380	2620	PurpleMood.scr	190
PID 2380 wrote to memory of 2312	2380	PurpleMood.scr	189
PID 2380 wrote to memory of 2312	2380	PurpleMood.scr	189
PID 2380 wrote to memory of 2312	2380	PurpleMood.scr	189
PID 2312 wrote to memory of 968	2312	PurpleMood.scr	188
PID 2312 wrote to memory of 968	2312	PurpleMood.scr	188
PID 2312 wrote to memory of 968	2312	PurpleMood.scr	188
PID 968 wrote to memory of 1536	968	PurpleMood.scr	187
PID 968 wrote to memory of 1536	968	PurpleMood.scr	187
PID 968 wrote to memory of 1536	968	PurpleMood.scr	187
PID 1536 wrote to memory of 332	1536	PurpleMood.scr	186
PID 1536 wrote to memory of 332	1536	PurpleMood.scr	186
PID 1536 wrote to memory of 332	1536	PurpleMood.scr	186
PID 332 wrote to memory of 4892	332	PurpleMood.scr	185
PID 332 wrote to memory of 4892	332	PurpleMood.scr	185
PID 332 wrote to memory of 4892	332	PurpleMood.scr	185
PID 4892 wrote to memory of 2672	4892	PurpleMood.scr	83
PID 4892 wrote to memory of 2672	4892	PurpleMood.scr	83
PID 4892 wrote to memory of 2672	4892	PurpleMood.scr	83
PID 2672 wrote to memory of 4860	2672	PurpleMood.scr	184
PID 2672 wrote to memory of 4860	2672	PurpleMood.scr	184
PID 2672 wrote to memory of 4860	2672	PurpleMood.scr	184
PID 4860 wrote to memory of 5024	4860	PurpleMood.scr	183
PID 4860 wrote to memory of 5024	4860	PurpleMood.scr	183
PID 4860 wrote to memory of 5024	4860	PurpleMood.scr	183
PID 5024 wrote to memory of 2736	5024	PurpleMood.scr	182
PID 5024 wrote to memory of 2736	5024	PurpleMood.scr	182
PID 5024 wrote to memory of 2736	5024	PurpleMood.scr	182
PID 2736 wrote to memory of 2220	2736	PurpleMood.scr	181
PID 2736 wrote to memory of 2220	2736	PurpleMood.scr	181
PID 2736 wrote to memory of 2220	2736	PurpleMood.scr	181
PID 2220 wrote to memory of 3064	2220	PurpleMood.scr	180
PID 2220 wrote to memory of 3064	2220	PurpleMood.scr	180
PID 2220 wrote to memory of 3064	2220	PurpleMood.scr	180
PID 3064 wrote to memory of 2892	3064	PurpleMood.scr	179
PID 3064 wrote to memory of 2892	3064	PurpleMood.scr	179
PID 3064 wrote to memory of 2892	3064	PurpleMood.scr	179
PID 2892 wrote to memory of 2724	2892	PurpleMood.scr	178
PID 2892 wrote to memory of 2724	2892	PurpleMood.scr	178
PID 2892 wrote to memory of 2724	2892	PurpleMood.scr	178
PID 2724 wrote to memory of 3604	2724	PurpleMood.scr	177
PID 2724 wrote to memory of 3604	2724	PurpleMood.scr	177
PID 2724 wrote to memory of 3604	2724	PurpleMood.scr	177
PID 3604 wrote to memory of 3540	3604	PurpleMood.scr	84
PID 3604 wrote to memory of 3540	3604	PurpleMood.scr	84
PID 3604 wrote to memory of 3540	3604	PurpleMood.scr	84
PID 3540 wrote to memory of 2488	3540	PurpleMood.scr	176
PID 3540 wrote to memory of 2488	3540	PurpleMood.scr	176
PID 3540 wrote to memory of 2488	3540	PurpleMood.scr	176
PID 2488 wrote to memory of 2344	2488	PurpleMood.scr	85
PID 2488 wrote to memory of 2344	2488	PurpleMood.scr	85
PID 2488 wrote to memory of 2344	2488	PurpleMood.scr	85
PID 2344 wrote to memory of 2364	2344	PurpleMood.scr	175
PID 2344 wrote to memory of 2364	2344	PurpleMood.scr	175
PID 2344 wrote to memory of 2364	2344	PurpleMood.scr	175
PID 2364 wrote to memory of 3544	2364	PurpleMood.scr	174

C:\Users\Admin\AppData\Local\Temp\6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe
"C:\Users\Admin\AppData\Local\Temp\6dd19a0a7bd0dbd4e225ceb88db05df0fa3b408074ca55dda8cbe78d8575a062.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 444
    3⤵
    - Program crash
    PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 444
  2⤵
  - Program crash
  PID:5052

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4860

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2488

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2364

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2700
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:2244
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15984

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:3968
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:1868
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    PID:3052

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2256
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:4288

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:3272
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:4284

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:1960
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:4984

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4856
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:3892
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    PID:932
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 416
    3⤵
    - Program crash
    PID:2404

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 416
    3⤵
    - Program crash
    PID:2240

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1376
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 420
  2⤵
  - Program crash
  PID:4152

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4044
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3620

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4004
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2476

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4516
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4880

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4784
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3352

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2560
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2388

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Adds Run key to start application
PID:2544
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:1156

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4244
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3376

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:3320
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3868

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2012
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4428

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Adds Run key to start application
PID:3336
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3564

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1844
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3520

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2416
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2320

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:3608
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4360

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4224
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4540

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Adds Run key to start application
PID:4660
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3396

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Drops file in System32 directory
PID:1096
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:3236

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1452
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:816

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1456
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:5356
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:5392
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        Adds Run key to start application
        
        PID:5736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        Adds Run key to start application
        
        PID:5760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        Adds Run key to start application
        
        PID:6624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        Adds Run key to start application
        
        PID:7100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        Drops file in System32 directory
        
        PID:7436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        Adds Run key to start application
        
        PID:7596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        212⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        213⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        214⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        215⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        216⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        217⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        218⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        219⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        220⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        221⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        222⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        223⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        224⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        225⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        226⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        227⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        228⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        229⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        230⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        231⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        232⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        233⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        234⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        235⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        236⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        237⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        238⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        239⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        240⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        241⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        242⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        243⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        244⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        245⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        246⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        247⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        248⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        249⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        250⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        251⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        252⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        253⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        254⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        255⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        256⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        257⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        258⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        259⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        260⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        261⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        262⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        263⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        264⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        265⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        266⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        267⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        268⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        269⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        270⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        271⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        272⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        273⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        274⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        275⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        276⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        277⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        278⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        279⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        280⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        281⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        282⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        283⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        284⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        285⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        286⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        287⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        288⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        289⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        290⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        291⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        292⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        293⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        294⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        295⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        296⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        297⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        298⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        299⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        300⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        301⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        302⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        303⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        304⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        305⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        306⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        307⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        308⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        309⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        310⤵
        Adds Run key to start application
        
        PID:10076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        311⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        312⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        313⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        314⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        315⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        316⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        317⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        318⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        319⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        320⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        321⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        322⤵
        Adds Run key to start application
        
        PID:9936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        323⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        324⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        325⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        326⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        327⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        328⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        329⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        330⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        331⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        332⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        333⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        334⤵
        Drops file in System32 directory
        
        PID:10368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        335⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        336⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        337⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        338⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        339⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        340⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        341⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        342⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        343⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        344⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        345⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        346⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        347⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        348⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        349⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        350⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        351⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        352⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        353⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        354⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        355⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        356⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        357⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        358⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        359⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        360⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        361⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        362⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        363⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        364⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        365⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        366⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        367⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        368⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        369⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        370⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        371⤵
        Adds Run key to start application
        
        PID:11128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        372⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        373⤵
        Drops file in System32 directory
        
        PID:11172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        374⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        375⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        376⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        377⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        378⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        379⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        380⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        381⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        382⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        383⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        384⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        385⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        386⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        387⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        388⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        389⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        390⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        391⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        392⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        393⤵
        Drops file in System32 directory
        
        PID:11396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        394⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        395⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        396⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        397⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        398⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        399⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        400⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        401⤵
        Adds Run key to start application
        
        PID:11524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        402⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        403⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        404⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        405⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        406⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        407⤵
        
        PID:11640

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4720

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4508

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4480

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:3424

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:100

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2608

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:3008

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:3596

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 416
  2⤵
  - Program crash
  PID:2776

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3716

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5108

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:14456
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:2036

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 416
  2⤵
  - Program crash
  PID:14720

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 416
  2⤵
  - Program crash
  PID:4388

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:11660
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:11672
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:11692
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:11716
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:11736
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        Adds Run key to start application
        
        PID:12108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        Adds Run key to start application
        
        PID:11840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:12188

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:12276
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:12080
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:12300
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:12320
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:12340
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Adds Run key to start application
        
        PID:12360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Drops file in System32 directory
        
        PID:12420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Adds Run key to start application
        
        PID:12480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:12760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:12868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:12988

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:13008
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Drops file in System32 directory
  PID:13028
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:13052
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:13072
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:13092
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:13264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        Adds Run key to start application
        
        PID:12312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        Adds Run key to start application
        
        PID:13348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:13364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        Drops file in System32 directory
        
        PID:13460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:13612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:13648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:13712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:14080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:14120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:14208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        Adds Run key to start application
        
        PID:14292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:14204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:14356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:14444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:14464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:14484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:14524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:14564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        
        PID:14648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:14668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        
        PID:14772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:14836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:14856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:14880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        Drops file in System32 directory
        
        PID:14920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        Drops file in System32 directory
        
        PID:14944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:14964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:14984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:15056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:15204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5040 -ip 5040
1⤵
PID:15148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2620 -ip 2620
1⤵
PID:15140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2380 -ip 2380
1⤵
PID:15168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5088 -ip 5088
1⤵
PID:15232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2312 -ip 2312
1⤵
PID:15280

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15272
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15312
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15352
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:14532
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:3168
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 332 -ip 332
1⤵
PID:13992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 968 -ip 968
1⤵
PID:14368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1536 -ip 1536
1⤵
PID:14516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4892 -ip 4892
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2672 -ip 2672
1⤵
PID:4736

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:14872
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:14956
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5024 -ip 5024
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4860 -ip 4860
1⤵
PID:14828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2892 -ip 2892
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3064 -ip 3064
1⤵
PID:15300

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15172
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:14428
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:14828
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2220 -ip 2220
1⤵
PID:15244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2736 -ip 2736
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3604 -ip 3604
1⤵
PID:15036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724
1⤵
PID:15144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3540 -ip 3540
1⤵
PID:14516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2344 -ip 2344
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2488 -ip 2488
1⤵
PID:15220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2116 -ip 2116
1⤵
PID:15388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364
1⤵
PID:15380

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15408
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3544 -ip 3544
1⤵
PID:15372

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3016 -ip 3016
1⤵
PID:15468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5116 -ip 5116
1⤵
PID:15496

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15536
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15584
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15640

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15720
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15748
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15780
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:15824
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:15872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4328 -ip 4328
1⤵
PID:15684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 2636
1⤵
PID:15624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 220 -ip 220
1⤵
PID:15560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4680 -ip 4680
1⤵
PID:15520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3176 -ip 3176
1⤵
PID:15512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4260 -ip 4260
1⤵
PID:15436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2700 -ip 2700
1⤵
PID:15764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2244 -ip 2244
1⤵
PID:15796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4356 -ip 4356
1⤵
PID:15836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4848 -ip 4848
1⤵
PID:15848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4648 -ip 4648
1⤵
PID:15880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4152 -ip 4152
1⤵
PID:15912

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15936
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15968
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:16012
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:16056
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:16080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2008 -ip 2008
1⤵
PID:15896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5108 -ip 5108
1⤵
PID:15728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1868 -ip 1868
1⤵
PID:15980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4204 -ip 4204
1⤵
PID:15948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3968 -ip 3968
1⤵
PID:16024

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:16104
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:16124
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:16152
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:16184
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:16228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 3052
1⤵
PID:16132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3716 -ip 3716
1⤵
PID:16160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2472 -ip 2472
1⤵
PID:16192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4696 -ip 4696
1⤵
PID:16236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2256 -ip 2256
1⤵
PID:16280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4288 -ip 4288
1⤵
PID:16308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3272 -ip 3272
1⤵
PID:16356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4284 -ip 4284
1⤵
PID:16380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4984 -ip 4984
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1960 -ip 1960
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4856 -ip 4856
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2676 -ip 2676
1⤵
PID:15244

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3892 -ip 3892
1⤵
PID:15492

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15220
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4492 -ip 4492
1⤵
PID:14812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4172 -ip 4172
1⤵
PID:15036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4336 -ip 4336
1⤵
PID:15500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2996 -ip 2996
1⤵
PID:5004

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15552
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4028 -ip 4028
1⤵
PID:15232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 4004 -ip 4004
1⤵
PID:15768

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15804
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2476 -ip 2476
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3620 -ip 3620
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4044 -ip 4044
1⤵
PID:15564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4060 -ip 4060
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3768 -ip 3768
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1376 -ip 1376
1⤵
PID:15736

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4664 -ip 4664
1⤵
PID:3604

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1612 -ip 1612
1⤵
PID:15440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 932 -ip 932
1⤵
PID:4240

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Adds Run key to start application
PID:4972

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:16324

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:16272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3596 -ip 3596
1⤵
PID:15892

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:16036
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:996

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:16132
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:13020
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:16264
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:16212
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 2388 -ip 2388
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1156 -ip 1156
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2544 -ip 2544
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3352 -ip 3352
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 100 -ip 100
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2560 -ip 2560
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3376 -ip 3376
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2608 -ip 2608
1⤵
PID:16320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3008 -ip 3008
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4880 -ip 4880
1⤵
PID:15944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 4516 -ip 4516
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4244 -ip 4244
1⤵
PID:16280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4784 -ip 4784
1⤵
PID:3904

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 3868 -ip 3868
1⤵
PID:4316

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2268
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:16356
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:3772
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3336 -ip 3336
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4480 -ip 4480
1⤵
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3608 -ip 3608
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2320 -ip 2320
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2416 -ip 2416
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3520 -ip 3520
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3564 -ip 3564
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1844 -ip 1844
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4428 -ip 4428
1⤵
PID:15424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 2012 -ip 2012
1⤵
PID:1480

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3424 -ip 3424
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3320 -ip 3320
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4508 -ip 4508
1⤵
PID:2492

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:14476
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15440
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15036
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:3176
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4540 -ip 4540
1⤵
PID:15648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4720 -ip 4720
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 4224 -ip 4224
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4360 -ip 4360
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4660 -ip 4660
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3396 -ip 3396
1⤵
PID:15680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 1096 -ip 1096
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 1452 -ip 1452
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 816 -ip 816
1⤵
PID:15040

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15232
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4680
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Drops file in System32 directory
        
        PID:5088
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:15836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:16244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:15212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:16064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:15380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:15904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:15916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:15416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:16072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:15616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:16300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:16236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:15884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:15648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:16000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:1988

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15504

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3236 -ip 3236
1⤵
PID:15184

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1452
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:14720
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15840
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:16172
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:15736
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:16368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:16380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:16240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:15796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:15880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:15428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:15508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:16392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        Adds Run key to start application
        
        PID:16404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:16424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
aea3a6a26dedaea5e221f1c7d24f9a11

SHA1
731b4bffa95eb2a0b10885bd74fa9a92d757ae14

SHA256
685d2836846bc10e7339609f120fc57e7935a8ce9964a7afaf5668428d286ccb

SHA512
84e37373c5be4bff99323077bb887e2e15aed1d5adde9b42ece96ae6e84c8e901bc3d4cce3f3a77e82986e0347c03a9360dda8d8d2ffa30b677d9889b443822c

Download Submit
memory/220-272-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/332-217-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/932-313-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/968-211-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1376-322-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1536-214-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1612-316-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1868-300-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-308-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2008-296-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2116-260-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2220-230-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2244-292-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2256-304-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2312-208-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2344-249-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2364-250-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2380-205-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2472-303-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2488-246-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2620-202-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2636-269-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2672-224-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-310-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2700-291-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2724-240-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2736-227-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2892-236-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2996-319-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3016-256-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3052-301-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3064-233-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3176-263-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3272-306-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3540-243-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3544-254-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3604-242-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3716-302-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3768-320-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3892-312-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3968-299-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4028-321-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4060-323-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4152-297-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4172-315-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4204-298-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4284-307-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4288-305-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4328-275-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4336-317-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4356-293-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4492-314-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4648-295-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4664-318-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4680-266-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4696-279-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4848-294-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4856-311-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4860-226-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4892-220-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4984-309-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5040-200-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5088-197-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5116-257-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download