ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa

Analysis

max time kernel
151s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe
Size

7KB
MD5

8fd3d334cdcaf7645235287d02e6a5a1
SHA1

3ed768bcf12c5788395d751bf7261e7a8526a3b6
SHA256

ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa
SHA512

abd8fc5d9c75aa0ae6674b6c47159f7f780301f3b4b3471f63807e82eae9f17f989ff83ef8b5f990193ad22bc6fad6c0f7ac9f3dbec4dada7efefea6124cc042
SSDEEP

96:G/l32tdsBxZXIWtez1eG6P48a1JIwljdph1fdHp:G/mdsXCWteReGfdJIwrpDfdJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1260	PurpleMood.scr
1724	PurpleMood.scr
1616	PurpleMood.scr
3504	PurpleMood.scr
4188	PurpleMood.scr
4928	PurpleMood.scr
4844	PurpleMood.scr
4912	PurpleMood.scr
4808	PurpleMood.scr
5032	PurpleMood.scr
644	PurpleMood.scr
996	PurpleMood.scr
2140	PurpleMood.scr
1284	PurpleMood.scr
1744	PurpleMood.scr
2332	PurpleMood.scr
2228	PurpleMood.scr
1572	PurpleMood.scr
1496	PurpleMood.scr
2752	PurpleMood.scr
204	PurpleMood.scr
4008	PurpleMood.scr
912	PurpleMood.scr
3812	PurpleMood.scr
3736	PurpleMood.scr
4956	PurpleMood.scr
1560	PurpleMood.scr
2588	PurpleMood.scr
3684	PurpleMood.scr
3868	PurpleMood.scr
2244	PurpleMood.scr
3672	PurpleMood.scr
2160	PurpleMood.scr
2308	PurpleMood.scr
1500	PurpleMood.scr
1300	PurpleMood.scr
1840	PurpleMood.scr
4388	PurpleMood.scr
4484	PurpleMood.scr
3460	PurpleMood.scr
3380	PurpleMood.scr
4860	PurpleMood.scr
4784	PurpleMood.scr
3688	PurpleMood.scr
1028	PurpleMood.scr
3388	PurpleMood.scr
4076	PurpleMood.scr
2460	PurpleMood.scr
4800	PurpleMood.scr
3568	PurpleMood.scr
1516	PurpleMood.scr
2272	PurpleMood.scr
336	PurpleMood.scr
3088	PurpleMood.scr
4888	PurpleMood.scr
2164	PurpleMood.scr
744	PurpleMood.scr
1896	PurpleMood.scr
2200	PurpleMood.scr
3932	PurpleMood.scr
2052	PurpleMood.scr
1928	PurpleMood.scr
4836	PurpleMood.scr
5044	PurpleMood.scr

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr

Program crash 64 IoCs

pid	pid_target	Process	procid_target
24600	1896	Process not Found	136
25116	4928	Process not Found	84
25356	1496	Process not Found	97
25540	204	Process not Found	98
5404	10568	Process not Found	578
5428	10488	Process not Found	577
5752	12612	Process not Found	660
7648	12992	Process not Found	678
6548	14980	Process not Found	796
8668	14896	Process not Found	792
12756	16508	Process not Found	897
13684	16608	Process not Found	942
11856	17660	Process not Found	969
12292	18984	Process not Found	1049
3452	21492	Process not Found	1196
7976	21876	Process not Found	1224
11696	22280	Process not Found	1246
6464	25268	Process not Found	1428
18676	25756	Process not Found	1456
4356	24924	Process not Found	1515
19508	1500	Process not Found	1542
16780	5896	Process not Found	1633
18532	25728	Process not Found	1687
13524	5392	Process not Found	1688
13916	6452	Process not Found	1698
20624	3592	Process not Found	1695
20504	6832	Process not Found	1689
21012	5848	Process not Found	1713
6188	324	Process not Found	1748
20968	7504	Process not Found	1769
19608	5684	Process not Found	1777
2508	7984	Process not Found	1793
20200	5160	Process not Found	1854
9060	3348	Process not Found	1860
22292	25492	Process not Found	1862
20580	2588	Process not Found	1908
22628	10060	Process not Found	1920
14936	1308	Process not Found	1913
22744	3748	Process not Found	1939
15588	10436	Process not Found	1953
19500	10808	Process not Found	1973
3028	11060	Process not Found	1982
21512	11220	Process not Found	1997
15816	7812	Process not Found	2022
11320	8812	Process not Found	2052
21916	7232	Process not Found	2067
23716	25780	Process not Found	2059
24004	11804	Process not Found	2093
24288	5268	Process not Found	2101
22544	12764	Process not Found	2109
15796	13104	Process not Found	2133
16268	13348	Process not Found	2156
24376	11876	Process not Found	2228
23912	11900	Process not Found	2223
25800	14496	Process not Found	2234
11872	8612	Process not Found	2243
23720	10360	Process not Found	2304
11292	10448	Process not Found	2321
24024	11012	Process not Found	2324
2388	15264	Process not Found	2352
19396	3668	Process not Found	2447
17792	18084	Process not Found	2477
26316	8264	Process not Found	2548
25680	17688	Process not Found	2463

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1260	3592	ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe	79
PID 3592 wrote to memory of 1260	3592	ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe	79
PID 3592 wrote to memory of 1260	3592	ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe	79
PID 1260 wrote to memory of 1724	1260	PurpleMood.scr	80
PID 1260 wrote to memory of 1724	1260	PurpleMood.scr	80
PID 1260 wrote to memory of 1724	1260	PurpleMood.scr	80
PID 1724 wrote to memory of 1616	1724	PurpleMood.scr	81
PID 1724 wrote to memory of 1616	1724	PurpleMood.scr	81
PID 1724 wrote to memory of 1616	1724	PurpleMood.scr	81
PID 1616 wrote to memory of 3504	1616	PurpleMood.scr	82
PID 1616 wrote to memory of 3504	1616	PurpleMood.scr	82
PID 1616 wrote to memory of 3504	1616	PurpleMood.scr	82
PID 3504 wrote to memory of 4188	3504	PurpleMood.scr	83
PID 3504 wrote to memory of 4188	3504	PurpleMood.scr	83
PID 3504 wrote to memory of 4188	3504	PurpleMood.scr	83
PID 4188 wrote to memory of 4928	4188	PurpleMood.scr	84
PID 4188 wrote to memory of 4928	4188	PurpleMood.scr	84
PID 4188 wrote to memory of 4928	4188	PurpleMood.scr	84
PID 4928 wrote to memory of 4844	4928	PurpleMood.scr	85
PID 4928 wrote to memory of 4844	4928	PurpleMood.scr	85
PID 4928 wrote to memory of 4844	4928	PurpleMood.scr	85
PID 4844 wrote to memory of 4912	4844	PurpleMood.scr	86
PID 4844 wrote to memory of 4912	4844	PurpleMood.scr	86
PID 4844 wrote to memory of 4912	4844	PurpleMood.scr	86
PID 4912 wrote to memory of 4808	4912	PurpleMood.scr	87
PID 4912 wrote to memory of 4808	4912	PurpleMood.scr	87
PID 4912 wrote to memory of 4808	4912	PurpleMood.scr	87
PID 4808 wrote to memory of 5032	4808	PurpleMood.scr	88
PID 4808 wrote to memory of 5032	4808	PurpleMood.scr	88
PID 4808 wrote to memory of 5032	4808	PurpleMood.scr	88
PID 5032 wrote to memory of 644	5032	PurpleMood.scr	89
PID 5032 wrote to memory of 644	5032	PurpleMood.scr	89
PID 5032 wrote to memory of 644	5032	PurpleMood.scr	89
PID 644 wrote to memory of 996	644	PurpleMood.scr	90
PID 644 wrote to memory of 996	644	PurpleMood.scr	90
PID 644 wrote to memory of 996	644	PurpleMood.scr	90
PID 996 wrote to memory of 2140	996	PurpleMood.scr	91
PID 996 wrote to memory of 2140	996	PurpleMood.scr	91
PID 996 wrote to memory of 2140	996	PurpleMood.scr	91
PID 2140 wrote to memory of 1284	2140	PurpleMood.scr	92
PID 2140 wrote to memory of 1284	2140	PurpleMood.scr	92
PID 2140 wrote to memory of 1284	2140	PurpleMood.scr	92
PID 1284 wrote to memory of 1744	1284	PurpleMood.scr	93
PID 1284 wrote to memory of 1744	1284	PurpleMood.scr	93
PID 1284 wrote to memory of 1744	1284	PurpleMood.scr	93
PID 1744 wrote to memory of 2332	1744	PurpleMood.scr	94
PID 1744 wrote to memory of 2332	1744	PurpleMood.scr	94
PID 1744 wrote to memory of 2332	1744	PurpleMood.scr	94
PID 2332 wrote to memory of 2228	2332	PurpleMood.scr	95
PID 2332 wrote to memory of 2228	2332	PurpleMood.scr	95
PID 2332 wrote to memory of 2228	2332	PurpleMood.scr	95
PID 2228 wrote to memory of 1572	2228	PurpleMood.scr	96
PID 2228 wrote to memory of 1572	2228	PurpleMood.scr	96
PID 2228 wrote to memory of 1572	2228	PurpleMood.scr	96
PID 1572 wrote to memory of 1496	1572	PurpleMood.scr	97
PID 1572 wrote to memory of 1496	1572	PurpleMood.scr	97
PID 1572 wrote to memory of 1496	1572	PurpleMood.scr	97
PID 1496 wrote to memory of 2752	1496	PurpleMood.scr	99
PID 1496 wrote to memory of 2752	1496	PurpleMood.scr	99
PID 1496 wrote to memory of 2752	1496	PurpleMood.scr	99
PID 2752 wrote to memory of 204	2752	PurpleMood.scr	98
PID 2752 wrote to memory of 204	2752	PurpleMood.scr	98
PID 2752 wrote to memory of 204	2752	PurpleMood.scr	98
PID 204 wrote to memory of 4008	204	PurpleMood.scr	100

C:\Users\Admin\AppData\Local\Temp\ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe
"C:\Users\Admin\AppData\Local\Temp\ce44a2f879b46c185ee8ccd9396a7e31c2ef10e03b4099c4a2f9484fcb1809fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:204
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:4008
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    PID:912
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      PID:3812
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        
        PID:3736
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        
        PID:2308

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1500
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:1300
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    PID:1840
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      PID:4388
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        
        PID:4484
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        Adds Run key to start application
        
        PID:4744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        Adds Run key to start application
        
        PID:4244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:5240

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:5260
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:5280
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:5340

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:5360
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:5404
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:5428
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:5456
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        Adds Run key to start application
        
        PID:6076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        Adds Run key to start application
        
        PID:6116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        Adds Run key to start application
        
        PID:6368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        Adds Run key to start application
        
        PID:7320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        Adds Run key to start application
        
        PID:7516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        Drops file in System32 directory
        
        PID:7552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        Drops file in System32 directory
        
        PID:7596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        Adds Run key to start application
        
        PID:7240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        Drops file in System32 directory
        
        PID:8208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        Adds Run key to start application
        
        PID:8576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        Drops file in System32 directory
        
        PID:8688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        212⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        213⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        214⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        215⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        216⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        217⤵
        Drops file in System32 directory
        
        PID:8784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        218⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        219⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        220⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        221⤵
        Adds Run key to start application
        
        PID:8848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        222⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        223⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        224⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        225⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        226⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        227⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        228⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        229⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        230⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        231⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        232⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        233⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        234⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        235⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        236⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        237⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        238⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        239⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        240⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        241⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        242⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        243⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        244⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        245⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        246⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        247⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        248⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        249⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        250⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        251⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        252⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        253⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        254⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        255⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        256⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        257⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        258⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        259⤵
        Adds Run key to start application
        
        PID:9564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        260⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        261⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        262⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        263⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        264⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        265⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        266⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        267⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        268⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        269⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        270⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        271⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        272⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        273⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        274⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        275⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        276⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        277⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        278⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        279⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        280⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        281⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        282⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        283⤵
        Adds Run key to start application
        
        PID:10072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        284⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        285⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        286⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        287⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        288⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        289⤵
        Drops file in System32 directory
        
        PID:10196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        290⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        291⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        292⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        293⤵
        Drops file in System32 directory
        
        PID:9340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        294⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        295⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        296⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        297⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        298⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        299⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        300⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        301⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        302⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        303⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        304⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        305⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        306⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        307⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        308⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        309⤵
        Drops file in System32 directory
        
        PID:10280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        310⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        311⤵
        Drops file in System32 directory
        
        PID:10320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        312⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        313⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        314⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        315⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        316⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        317⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        318⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        319⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        320⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        321⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        322⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        323⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        324⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        325⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        326⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        327⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        328⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        329⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        330⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        331⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        332⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        333⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        334⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        335⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        336⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        337⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        338⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        339⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        340⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        341⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        342⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        343⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        344⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        345⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        346⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        347⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        348⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        349⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        350⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        351⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        352⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        353⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        354⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        355⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        356⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        357⤵
        Drops file in System32 directory
        
        PID:11196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        358⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        359⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        360⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        361⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        362⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        363⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        364⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        365⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        366⤵
        Drops file in System32 directory
        
        PID:10488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        367⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        368⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        369⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        370⤵
        Drops file in System32 directory
        
        PID:10760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        371⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        372⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        373⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        374⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        375⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        376⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        377⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        378⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        379⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        380⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        381⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        382⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        383⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        384⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        385⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        386⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        387⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        388⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        389⤵
        Adds Run key to start application
        
        PID:11612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        390⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        391⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        392⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        393⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        394⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        395⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        396⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        397⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        398⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        399⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        400⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        401⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        402⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        403⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        404⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        405⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        406⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        407⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        408⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        409⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        410⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        411⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        412⤵
        Adds Run key to start application
        
        PID:12112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        413⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        414⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        415⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        416⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        417⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        418⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        419⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        420⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        421⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        422⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        423⤵
        Drops file in System32 directory
        
        PID:11712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        424⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        425⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        426⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        427⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        428⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        429⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        430⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        431⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        432⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        433⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        434⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        435⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        436⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        437⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        438⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        439⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        440⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        441⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        442⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        443⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        444⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        445⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        446⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        447⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        448⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        449⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        450⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        451⤵
        Drops file in System32 directory
        
        PID:12692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        452⤵
        
        PID:12712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        453⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        454⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        455⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        456⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        457⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        458⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        459⤵
        
        PID:12860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        460⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        461⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        462⤵
        
        PID:12924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        463⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        464⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        465⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        466⤵
        
        PID:13008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        467⤵
        
        PID:13028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        468⤵
        
        PID:13052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        469⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        470⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        471⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        472⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        473⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        474⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        475⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        476⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        477⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        478⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        479⤵
        Adds Run key to start application
        
        PID:13284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        480⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        481⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        482⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        483⤵
        Adds Run key to start application
        
        PID:12492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        484⤵
        
        PID:12584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        485⤵
        
        PID:12684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        486⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        487⤵
        
        PID:12868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        488⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        489⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        490⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        491⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        492⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        493⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        494⤵
        Adds Run key to start application
        
        PID:13020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        495⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        496⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        497⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        498⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        499⤵
        
        PID:13372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        500⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        501⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        502⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        503⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        504⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        505⤵
        Drops file in System32 directory
        
        PID:13484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        506⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        507⤵
        
        PID:13516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        508⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        509⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        510⤵
        
        PID:13564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        511⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        512⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        513⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        514⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        515⤵
        
        PID:13668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        516⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        517⤵
        
        PID:13712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        518⤵
        Adds Run key to start application
        
        PID:13728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        519⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        520⤵
        
        PID:13764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        521⤵
        
        PID:13800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        522⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        523⤵
        Adds Run key to start application
        
        PID:13872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        524⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        525⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        526⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        527⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        528⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        529⤵
        
        PID:13988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        530⤵
        
        PID:14000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        531⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        532⤵
        
        PID:14040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        533⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        534⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        535⤵
        Adds Run key to start application
        
        PID:14084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        536⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        537⤵
        
        PID:14116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        538⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        539⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        540⤵
        Adds Run key to start application
        
        PID:14164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        541⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        542⤵
        
        PID:14200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        543⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        544⤵
        Drops file in System32 directory
        
        PID:14252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        545⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        546⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        547⤵
        
        PID:14316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        548⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        549⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        550⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        551⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        552⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        553⤵
        Adds Run key to start application
        
        PID:14400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        554⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        555⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        556⤵
        
        PID:14464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        557⤵
        
        PID:14484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        558⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        559⤵
        
        PID:14524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        560⤵
        
        PID:14548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        561⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        562⤵
        
        PID:14588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        563⤵
        
        PID:14608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        564⤵
        Adds Run key to start application
        
        PID:14628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        565⤵
        
        PID:14648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        566⤵
        
        PID:14672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        567⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        568⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        569⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        570⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        571⤵
        
        PID:14768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        572⤵
        
        PID:14788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        573⤵
        Drops file in System32 directory
        
        PID:14808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        574⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        575⤵
        
        PID:14852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        576⤵
        
        PID:14872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        577⤵
        Drops file in System32 directory
        
        PID:14896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        578⤵
        
        PID:14916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        579⤵
        
        PID:14940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        580⤵
        
        PID:14960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        581⤵
        Drops file in System32 directory
        
        PID:14980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        582⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        583⤵
        
        PID:15024

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:15044
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:15068
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:15088
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:15108
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:15136
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:15180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:15204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:15224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:15244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:15264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:15348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:14456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:14636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:14756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:14880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        Drops file in System32 directory
        
        PID:14952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:15036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:15196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:15296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:14408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:15256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:15368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:15392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:15412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:15436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        Drops file in System32 directory
        
        PID:15476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:15536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:15580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:15612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:15660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:15676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:15724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:15836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:15852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:15868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:15892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        Adds Run key to start application
        
        PID:15956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:15972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:15988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:16020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:16036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:16052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:16068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:16084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:16116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:16132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        Drops file in System32 directory
        
        PID:16148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:16180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:16228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:16244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:16292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:16308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:16324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:16344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:16364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:14992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:15420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:15528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:15388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:16404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:16428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:16448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:16468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:16488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:16528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:16552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:16572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        
        PID:16596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:16616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        Adds Run key to start application
        
        PID:16636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:16656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:16676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:16696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:16716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        Adds Run key to start application
        
        PID:16740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        Drops file in System32 directory
        
        PID:16760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:16800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:16824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:16864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        Adds Run key to start application
        
        PID:16908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:16928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        Adds Run key to start application
        
        PID:16948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:16968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:16988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:17032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:17056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:17076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        
        PID:17100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:17120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:17144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:17188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:17212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        
        PID:17232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:17260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        
        PID:17288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:17316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        Adds Run key to start application
        
        PID:17360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:17384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:17404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:16416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:16480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        
        PID:16564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        Adds Run key to start application
        
        PID:16608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        
        PID:16688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        
        PID:16748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:16892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        Adds Run key to start application
        
        PID:16960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:17024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:17088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:17136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        
        PID:17196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:17272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:17368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:17428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        
        PID:17452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:17468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        Drops file in System32 directory
        
        PID:17484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:17500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        
        PID:17516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        
        PID:17532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:17548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        
        PID:17564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:17580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        
        PID:17596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        
        PID:17612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        Adds Run key to start application
        
        PID:17628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:17644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:17660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        
        PID:17676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        Adds Run key to start application
        
        PID:17692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:17708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        
        PID:17724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        
        PID:17740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:17756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:17772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:17788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:17804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:17820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        
        PID:17836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:17852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        
        PID:17868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        
        PID:17884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:17904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:17920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        
        PID:17944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:17964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:17988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        Drops file in System32 directory
        
        PID:18008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:18048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:18068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        
        PID:18108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        
        PID:18128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        
        PID:18148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:18168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:18192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        
        PID:18216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:18236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:18280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        
        PID:18304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:18324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        Drops file in System32 directory
        
        PID:18344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:18364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        
        PID:18384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        
        PID:18404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        
        PID:18424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        
        PID:17936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        212⤵
        
        PID:18020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        213⤵
        
        PID:18100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        214⤵
        
        PID:18200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        215⤵
        
        PID:18272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        216⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        217⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        218⤵
        
        PID:18444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        219⤵
        
        PID:18468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        220⤵
        
        PID:18488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        221⤵
        Drops file in System32 directory
        
        PID:18508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        222⤵
        
        PID:18528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        223⤵
        
        PID:18548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        224⤵
        
        PID:18568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        225⤵
        
        PID:18584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        226⤵
        
        PID:18600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        227⤵
        Drops file in System32 directory
        
        PID:18616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        228⤵
        
        PID:18632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        229⤵
        
        PID:18648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        230⤵
        
        PID:18664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        231⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        232⤵
        
        PID:18696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        233⤵
        
        PID:18712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        234⤵
        
        PID:18728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        235⤵
        
        PID:18744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        236⤵
        
        PID:18760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        237⤵
        
        PID:18776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        238⤵
        
        PID:18792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        239⤵
        
        PID:18808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        240⤵
        
        PID:18824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        241⤵
        
        PID:18840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        242⤵
        
        PID:18856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        243⤵
        
        PID:18872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        244⤵
        
        PID:18888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        245⤵
        
        PID:18904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        246⤵
        
        PID:18920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        247⤵
        
        PID:18936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        248⤵
        
        PID:18952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        249⤵
        
        PID:18968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        250⤵
        
        PID:18984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        251⤵
        
        PID:19000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        252⤵
        
        PID:19016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        253⤵
        Drops file in System32 directory
        
        PID:19032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        254⤵
        
        PID:19048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        255⤵
        
        PID:19064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        256⤵
        
        PID:19080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        257⤵
        
        PID:19096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        258⤵
        
        PID:19112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        259⤵
        
        PID:19128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        260⤵
        
        PID:19144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        261⤵
        
        PID:19160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        262⤵
        
        PID:19176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        263⤵
        
        PID:19192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        264⤵
        
        PID:19208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        265⤵
        
        PID:19224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        266⤵
        
        PID:19240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        267⤵
        
        PID:19264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        268⤵
        
        PID:19288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        269⤵
        
        PID:19308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        270⤵
        
        PID:19324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        271⤵
        
        PID:19340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        272⤵
        
        PID:19356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        273⤵
        
        PID:19372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        274⤵
        
        PID:19388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        275⤵
        
        PID:19408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        276⤵
        Adds Run key to start application
        
        PID:19428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        277⤵
        
        PID:19448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        278⤵
        
        PID:18456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        279⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        280⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        281⤵
        
        PID:19476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        282⤵
        
        PID:19496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        283⤵
        Drops file in System32 directory
        
        PID:19516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        284⤵
        Drops file in System32 directory
        
        PID:19540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        285⤵
        
        PID:19560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        286⤵
        
        PID:19584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        287⤵
        
        PID:19604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        288⤵
        
        PID:19628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        289⤵
        
        PID:19652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        290⤵
        
        PID:19672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        291⤵
        
        PID:19692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        292⤵
        
        PID:19712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        293⤵
        
        PID:19740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        294⤵
        
        PID:19760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        295⤵
        
        PID:19780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        296⤵
        Adds Run key to start application
        
        PID:19800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        297⤵
        
        PID:19820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        298⤵
        
        PID:19840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        299⤵
        
        PID:19864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        300⤵
        
        PID:19888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        301⤵
        
        PID:19904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        302⤵
        
        PID:19920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        303⤵
        
        PID:19936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        304⤵
        Drops file in System32 directory
        
        PID:19952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        305⤵
        
        PID:19968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        306⤵
        
        PID:19984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        307⤵
        
        PID:20000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e0f4f91d74956841f2af35767f7cdd33

SHA1
a052f9c108b8cce6b2c973b14fb9251a767a44d6

SHA256
4a7622085ca9338777be700563b15dfcb6d6b74c522b4fe9e8b33694c467389d

SHA512
65bad4303551d0a39fb38ff5f19023e443742c98d55d62fbf1b77711be7553ff4aac2cb56993b182f2684dd0c26aa20bc1a577c93819541132e9a3cb5a285938

Download Submit
memory/204-253-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/204-175-0x0000000000000000-mapping.dmp

Download
memory/336-313-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/336-261-0x0000000000000000-mapping.dmp

Download
memory/644-155-0x0000000000000000-mapping.dmp

Download
memory/644-227-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/744-317-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/744-273-0x0000000000000000-mapping.dmp

Download
memory/912-179-0x0000000000000000-mapping.dmp

Download
memory/912-259-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/996-230-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/996-157-0x0000000000000000-mapping.dmp

Download
memory/1028-305-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1028-237-0x0000000000000000-mapping.dmp

Download
memory/1260-136-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1260-133-0x0000000000000000-mapping.dmp

Download
memory/1284-234-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1284-161-0x0000000000000000-mapping.dmp

Download
memory/1300-208-0x0000000000000000-mapping.dmp

Download
memory/1300-296-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1496-171-0x0000000000000000-mapping.dmp

Download
memory/1496-247-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1500-205-0x0000000000000000-mapping.dmp

Download
memory/1500-295-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1516-311-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1516-255-0x0000000000000000-mapping.dmp

Download
memory/1560-271-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1560-187-0x0000000000000000-mapping.dmp

Download
memory/1572-244-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1572-169-0x0000000000000000-mapping.dmp

Download
memory/1616-139-0x0000000000000000-mapping.dmp

Download
memory/1616-203-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1724-201-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1724-137-0x0000000000000000-mapping.dmp

Download
memory/1744-163-0x0000000000000000-mapping.dmp

Download
memory/1744-235-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1840-211-0x0000000000000000-mapping.dmp

Download
memory/1840-297-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1896-277-0x0000000000000000-mapping.dmp

Download
memory/1896-318-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1928-289-0x0000000000000000-mapping.dmp

Download
memory/1928-322-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2052-286-0x0000000000000000-mapping.dmp

Download
memory/2052-321-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2140-232-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2140-159-0x0000000000000000-mapping.dmp

Download
memory/2160-199-0x0000000000000000-mapping.dmp

Download
memory/2160-287-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2164-270-0x0000000000000000-mapping.dmp

Download
memory/2164-316-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2200-280-0x0000000000000000-mapping.dmp

Download
memory/2200-319-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2228-241-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2228-167-0x0000000000000000-mapping.dmp

Download
memory/2244-281-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2244-195-0x0000000000000000-mapping.dmp

Download
memory/2272-258-0x0000000000000000-mapping.dmp

Download
memory/2272-312-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2308-294-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2308-202-0x0000000000000000-mapping.dmp

Download
memory/2332-165-0x0000000000000000-mapping.dmp

Download
memory/2332-238-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2460-308-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2460-246-0x0000000000000000-mapping.dmp

Download
memory/2588-189-0x0000000000000000-mapping.dmp

Download
memory/2588-274-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2752-173-0x0000000000000000-mapping.dmp

Download
memory/2752-250-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3088-264-0x0000000000000000-mapping.dmp

Download
memory/3088-314-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3380-301-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3380-223-0x0000000000000000-mapping.dmp

Download
memory/3388-306-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3388-240-0x0000000000000000-mapping.dmp

Download
memory/3460-220-0x0000000000000000-mapping.dmp

Download
memory/3460-300-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3504-206-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3504-141-0x0000000000000000-mapping.dmp

Download
memory/3568-310-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3568-252-0x0000000000000000-mapping.dmp

Download
memory/3592-132-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3672-284-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3672-197-0x0000000000000000-mapping.dmp

Download
memory/3684-276-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3684-191-0x0000000000000000-mapping.dmp

Download
memory/3688-233-0x0000000000000000-mapping.dmp

Download
memory/3688-304-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3736-265-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3736-183-0x0000000000000000-mapping.dmp

Download
memory/3812-262-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3812-181-0x0000000000000000-mapping.dmp

Download
memory/3868-193-0x0000000000000000-mapping.dmp

Download
memory/3868-278-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3932-320-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3932-283-0x0000000000000000-mapping.dmp

Download
memory/4008-177-0x0000000000000000-mapping.dmp

Download
memory/4008-256-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4076-307-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4076-243-0x0000000000000000-mapping.dmp

Download
memory/4188-143-0x0000000000000000-mapping.dmp

Download
memory/4188-209-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4388-298-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4388-214-0x0000000000000000-mapping.dmp

Download
memory/4484-217-0x0000000000000000-mapping.dmp

Download
memory/4484-299-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4784-229-0x0000000000000000-mapping.dmp

Download
memory/4784-303-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4800-309-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4800-249-0x0000000000000000-mapping.dmp

Download
memory/4808-221-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4808-151-0x0000000000000000-mapping.dmp

Download
memory/4836-291-0x0000000000000000-mapping.dmp

Download
memory/4836-323-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4844-147-0x0000000000000000-mapping.dmp

Download
memory/4844-215-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4860-302-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4860-226-0x0000000000000000-mapping.dmp

Download
memory/4888-267-0x0000000000000000-mapping.dmp

Download
memory/4888-315-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4912-218-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4912-149-0x0000000000000000-mapping.dmp

Download
memory/4928-145-0x0000000000000000-mapping.dmp

Download
memory/4928-212-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4956-268-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4956-185-0x0000000000000000-mapping.dmp

Download
memory/5032-153-0x0000000000000000-mapping.dmp

Download
memory/5032-224-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5044-293-0x0000000000000000-mapping.dmp

Download