ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a

Analysis

max time kernel
148s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe
Size

7KB
MD5

0faf8335d2f2ef587760373913f8d2a0
SHA1

f6359f487487d03071b55ebaa02c14114b8cac67
SHA256

ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a
SHA512

632008d20d3e1fd7fc255c7c8fcdbbe2127d5ee154596dbbb95367a36f22c2cbe3f550a3a6aa350c56c2bce907cb4f6ca62485a56a9163d370d51007dbe23411
SSDEEP

96:G/l32tdsBxINXIWtez1eG6P48a1JIwljdph1fdHp:G/mdsX/WteReGfdJIwrpDfdJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1260	PurpleMood.scr
1728	PurpleMood.scr
2028	PurpleMood.scr
560	PurpleMood.scr
1100	PurpleMood.scr
520	PurpleMood.scr
1540	PurpleMood.scr
1652	PurpleMood.scr
1788	PurpleMood.scr
680	PurpleMood.scr
1552	PurpleMood.scr
1772	PurpleMood.scr
796	PurpleMood.scr
1512	PurpleMood.scr
552	PurpleMood.scr
1960	PurpleMood.scr
1820	PurpleMood.scr
1624	PurpleMood.scr
976	PurpleMood.scr
960	PurpleMood.scr
1716	PurpleMood.scr
428	PurpleMood.scr
1712	PurpleMood.scr
1496	PurpleMood.scr
1872	PurpleMood.scr
1572	PurpleMood.scr
1324	PurpleMood.scr
1240	PurpleMood.scr
1256	PurpleMood.scr
2040	PurpleMood.scr
1972	PurpleMood.scr
1072	PurpleMood.scr
452	PurpleMood.scr
1284	PurpleMood.scr
724	PurpleMood.scr
1528	PurpleMood.scr
1628	PurpleMood.scr
888	PurpleMood.scr
1612	PurpleMood.scr
1692	PurpleMood.scr
1456	PurpleMood.scr
1000	PurpleMood.scr
392	PurpleMood.scr
1952	PurpleMood.scr
1736	PurpleMood.scr
624	PurpleMood.scr
1364	PurpleMood.scr
1344	PurpleMood.scr
1868	PurpleMood.scr
1708	PurpleMood.scr
1176	PurpleMood.scr
1316	PurpleMood.scr
1856	PurpleMood.scr
1588	PurpleMood.scr
920	PurpleMood.scr
948	PurpleMood.scr
1640	PurpleMood.scr
1752	PurpleMood.scr
1044	PurpleMood.scr
2008	PurpleMood.scr
1568	PurpleMood.scr
1168	PurpleMood.scr
1380	PurpleMood.scr
1592	PurpleMood.scr

Loads dropped DLL 64 IoCs

pid	Process
1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe
1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe
1260	PurpleMood.scr
1260	PurpleMood.scr
1728	PurpleMood.scr
1728	PurpleMood.scr
2028	PurpleMood.scr
2028	PurpleMood.scr
560	PurpleMood.scr
560	PurpleMood.scr
1100	PurpleMood.scr
1100	PurpleMood.scr
520	PurpleMood.scr
520	PurpleMood.scr
1540	PurpleMood.scr
1540	PurpleMood.scr
1652	PurpleMood.scr
1652	PurpleMood.scr
1788	PurpleMood.scr
1788	PurpleMood.scr
680	PurpleMood.scr
680	PurpleMood.scr
1552	PurpleMood.scr
1552	PurpleMood.scr
1772	PurpleMood.scr
1772	PurpleMood.scr
796	PurpleMood.scr
796	PurpleMood.scr
1512	PurpleMood.scr
1512	PurpleMood.scr
552	PurpleMood.scr
552	PurpleMood.scr
1960	PurpleMood.scr
1960	PurpleMood.scr
1820	PurpleMood.scr
1820	PurpleMood.scr
1624	PurpleMood.scr
1624	PurpleMood.scr
976	PurpleMood.scr
976	PurpleMood.scr
960	PurpleMood.scr
960	PurpleMood.scr
1716	PurpleMood.scr
1716	PurpleMood.scr
428	PurpleMood.scr
428	PurpleMood.scr
1712	PurpleMood.scr
1712	PurpleMood.scr
1496	PurpleMood.scr
1496	PurpleMood.scr
1872	PurpleMood.scr
1872	PurpleMood.scr
1572	PurpleMood.scr
1572	PurpleMood.scr
1324	PurpleMood.scr
1324	PurpleMood.scr
1240	PurpleMood.scr
1240	PurpleMood.scr
1256	PurpleMood.scr
1256	PurpleMood.scr
2040	PurpleMood.scr
2040	PurpleMood.scr
1972	PurpleMood.scr
1972	PurpleMood.scr

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr

Program crash 64 IoCs

pid	pid_target	Process	procid_target
12492	1632	Process not Found	27
12500	1260	Process not Found	28
12516	2028	Process not Found	30
12544	1100	Process not Found	32
12568	1728	Process not Found	29
12560	560	Process not Found	31
12584	1652	Process not Found	35
12604	1788	Process not Found	36
12640	1540	Process not Found	34
12664	520	Process not Found	33
12688	680	Process not Found	37
12740	552	Process not Found	42
12720	1772	Process not Found	39
12792	796	Process not Found	40
12732	1552	Process not Found	38
12712	1512	Process not Found	41
12812	1624	Process not Found	45
12892	2040	Process not Found	57
13004	452	Process not Found	60
12996	1692	Process not Found	66
12988	888	Process not Found	65
12924	1496	Process not Found	51
13108	1000	Process not Found	69
13100	1952	Process not Found	71
13216	624	Process not Found	73
13276	1364	Process not Found	74
13208	1344	Process not Found	75
13184	1736	Process not Found	72
12916	976	Process not Found	46
12908	1820	Process not Found	44
12900	1716	Process not Found	48
13084	392	Process not Found	70
13076	1456	Process not Found	68
13068	1612	Process not Found	67
13060	1712	Process not Found	50
13052	1872	Process not Found	52
13044	1324	Process not Found	54
13036	1256	Process not Found	56
13028	1972	Process not Found	58
13020	724	Process not Found	62
13012	1628	Process not Found	64
12932	1960	Process not Found	43
12980	1284	Process not Found	61
12972	1072	Process not Found	59
12964	1528	Process not Found	63
12956	1240	Process not Found	55
12948	1572	Process not Found	53
12824	428	Process not Found	49
12940	960	Process not Found	47
13336	1588	Process not Found	81
13432	1316	Process not Found	79
13464	1980	Process not Found	103
13472	2060	Process not Found	105
13480	2124	Process not Found	113
13488	2108	Process not Found	111
13496	2236	Process not Found	127
13688	2076	Process not Found	107
13504	1792	Process not Found	99
13360	1012	Process not Found	95
13368	1780	Process not Found	97
13376	1016	Process not Found	92
13384	1592	Process not Found	91
13400	2008	Process not Found	87
13408	1752	Process not Found	85

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1260	1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe	28
PID 1632 wrote to memory of 1260	1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe	28
PID 1632 wrote to memory of 1260	1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe	28
PID 1632 wrote to memory of 1260	1632	ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe	28
PID 1260 wrote to memory of 1728	1260	PurpleMood.scr	29
PID 1260 wrote to memory of 1728	1260	PurpleMood.scr	29
PID 1260 wrote to memory of 1728	1260	PurpleMood.scr	29
PID 1260 wrote to memory of 1728	1260	PurpleMood.scr	29
PID 1728 wrote to memory of 2028	1728	PurpleMood.scr	30
PID 1728 wrote to memory of 2028	1728	PurpleMood.scr	30
PID 1728 wrote to memory of 2028	1728	PurpleMood.scr	30
PID 1728 wrote to memory of 2028	1728	PurpleMood.scr	30
PID 2028 wrote to memory of 560	2028	PurpleMood.scr	31
PID 2028 wrote to memory of 560	2028	PurpleMood.scr	31
PID 2028 wrote to memory of 560	2028	PurpleMood.scr	31
PID 2028 wrote to memory of 560	2028	PurpleMood.scr	31
PID 560 wrote to memory of 1100	560	PurpleMood.scr	32
PID 560 wrote to memory of 1100	560	PurpleMood.scr	32
PID 560 wrote to memory of 1100	560	PurpleMood.scr	32
PID 560 wrote to memory of 1100	560	PurpleMood.scr	32
PID 1100 wrote to memory of 520	1100	PurpleMood.scr	33
PID 1100 wrote to memory of 520	1100	PurpleMood.scr	33
PID 1100 wrote to memory of 520	1100	PurpleMood.scr	33
PID 1100 wrote to memory of 520	1100	PurpleMood.scr	33
PID 520 wrote to memory of 1540	520	PurpleMood.scr	34
PID 520 wrote to memory of 1540	520	PurpleMood.scr	34
PID 520 wrote to memory of 1540	520	PurpleMood.scr	34
PID 520 wrote to memory of 1540	520	PurpleMood.scr	34
PID 1540 wrote to memory of 1652	1540	PurpleMood.scr	35
PID 1540 wrote to memory of 1652	1540	PurpleMood.scr	35
PID 1540 wrote to memory of 1652	1540	PurpleMood.scr	35
PID 1540 wrote to memory of 1652	1540	PurpleMood.scr	35
PID 1652 wrote to memory of 1788	1652	PurpleMood.scr	36
PID 1652 wrote to memory of 1788	1652	PurpleMood.scr	36
PID 1652 wrote to memory of 1788	1652	PurpleMood.scr	36
PID 1652 wrote to memory of 1788	1652	PurpleMood.scr	36
PID 1788 wrote to memory of 680	1788	PurpleMood.scr	37
PID 1788 wrote to memory of 680	1788	PurpleMood.scr	37
PID 1788 wrote to memory of 680	1788	PurpleMood.scr	37
PID 1788 wrote to memory of 680	1788	PurpleMood.scr	37
PID 680 wrote to memory of 1552	680	PurpleMood.scr	38
PID 680 wrote to memory of 1552	680	PurpleMood.scr	38
PID 680 wrote to memory of 1552	680	PurpleMood.scr	38
PID 680 wrote to memory of 1552	680	PurpleMood.scr	38
PID 1552 wrote to memory of 1772	1552	PurpleMood.scr	39
PID 1552 wrote to memory of 1772	1552	PurpleMood.scr	39
PID 1552 wrote to memory of 1772	1552	PurpleMood.scr	39
PID 1552 wrote to memory of 1772	1552	PurpleMood.scr	39
PID 1772 wrote to memory of 796	1772	PurpleMood.scr	40
PID 1772 wrote to memory of 796	1772	PurpleMood.scr	40
PID 1772 wrote to memory of 796	1772	PurpleMood.scr	40
PID 1772 wrote to memory of 796	1772	PurpleMood.scr	40
PID 796 wrote to memory of 1512	796	PurpleMood.scr	41
PID 796 wrote to memory of 1512	796	PurpleMood.scr	41
PID 796 wrote to memory of 1512	796	PurpleMood.scr	41
PID 796 wrote to memory of 1512	796	PurpleMood.scr	41
PID 1512 wrote to memory of 552	1512	PurpleMood.scr	42
PID 1512 wrote to memory of 552	1512	PurpleMood.scr	42
PID 1512 wrote to memory of 552	1512	PurpleMood.scr	42
PID 1512 wrote to memory of 552	1512	PurpleMood.scr	42
PID 552 wrote to memory of 1960	552	PurpleMood.scr	43
PID 552 wrote to memory of 1960	552	PurpleMood.scr	43
PID 552 wrote to memory of 1960	552	PurpleMood.scr	43
PID 552 wrote to memory of 1960	552	PurpleMood.scr	43

C:\Users\Admin\AppData\Local\Temp\ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe
"C:\Users\Admin\AppData\Local\Temp\ce0498d08d3e186231338bb162a7b5d288c3a84f3040ae68224123806c647f8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:560
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        Executes dropped EXE
        
        PID:1612

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1692
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  PID:1456
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    PID:1000
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:392
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        
        PID:1952
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:1064

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:1016
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:1780
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:2468

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2476
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:2508
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:2560

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2576
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:2612

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:2624
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:2680
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        Adds Run key to start application
        
        PID:2988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        Adds Run key to start application
        
        PID:3116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        Adds Run key to start application
        
        PID:3180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        Adds Run key to start application
        
        PID:3332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        Adds Run key to start application
        
        PID:3428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        Adds Run key to start application
        
        PID:3572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        Adds Run key to start application
        
        PID:3732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        Adds Run key to start application
        
        PID:4084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        Adds Run key to start application
        
        PID:3952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        Adds Run key to start application
        
        PID:4160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        
        PID:4272

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4280
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Adds Run key to start application
  PID:4288
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4312
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:4384

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4392
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4424

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4432
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4456

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4472
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Adds Run key to start application
  PID:4496
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4508
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4520

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4540
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4580
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:4648

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4660
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4688

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4700
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4732
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4748

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4764
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Drops file in System32 directory
  PID:4772
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4788
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4796

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4756

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4804
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4820
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4836
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:4852

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Drops file in System32 directory
PID:4868
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Adds Run key to start application
  PID:4876
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:4892
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:4900
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        Adds Run key to start application
        
        PID:5108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        Adds Run key to start application
        
        PID:4468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:5268

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:4860

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Drops file in System32 directory
PID:5276
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:5292
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:5300
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:5308
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:5336

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
PID:5352
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Drops file in System32 directory
    PID:5384
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:5416
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Adds Run key to start application
        
        PID:5524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Adds Run key to start application
        
        PID:5548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        Adds Run key to start application
        
        PID:5732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        Adds Run key to start application
        
        PID:6152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        Adds Run key to start application
        
        PID:6348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        Adds Run key to start application
        
        PID:6740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        212⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        213⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        214⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        215⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        216⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        217⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        218⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        219⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        220⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        221⤵
        Adds Run key to start application
        
        PID:7108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        222⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        223⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        224⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        225⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        226⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        227⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        228⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        229⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        230⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        231⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        232⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        233⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        234⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        235⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        236⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        237⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        238⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        239⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        240⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        241⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        242⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        243⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        244⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        245⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        246⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        247⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        248⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        249⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        250⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        251⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        252⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        253⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        254⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        255⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        256⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        257⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        258⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        259⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        260⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        261⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        262⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        263⤵
        Adds Run key to start application
        
        PID:7444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        264⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        265⤵
        Adds Run key to start application
        
        PID:7460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        266⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        267⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        268⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        269⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        270⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        271⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        272⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        273⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        274⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        275⤵
        Adds Run key to start application
        
        PID:7540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        276⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        277⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        278⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        279⤵
        Drops file in System32 directory
        
        PID:7572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        280⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        281⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        282⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        283⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        284⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        285⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        286⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        287⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        288⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        289⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        290⤵
        Drops file in System32 directory
        
        PID:7660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        291⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        292⤵
        Drops file in System32 directory
        
        PID:7676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        293⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        294⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        295⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        296⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        297⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        298⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        299⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        300⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        301⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        302⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        303⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        304⤵
        Adds Run key to start application
        
        PID:7772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        305⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        306⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        307⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        308⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        309⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        310⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        311⤵
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        312⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        313⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        314⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        315⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        316⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        317⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        318⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        319⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        320⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        321⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        322⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        323⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        324⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        325⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        326⤵
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        327⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        328⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        329⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        330⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        331⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        332⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        333⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        334⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        335⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        336⤵
        Adds Run key to start application
        
        PID:8028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        337⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        338⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        339⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        340⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        341⤵
        Drops file in System32 directory
        
        PID:8068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        342⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        343⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        344⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        345⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        346⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        347⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        348⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        349⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        350⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        351⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        352⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        353⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        354⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        355⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        356⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        357⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        358⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        359⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        360⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        361⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        362⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        363⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        364⤵
        Adds Run key to start application
        
        PID:8256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        365⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        366⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        367⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        368⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        369⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        370⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        371⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        372⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        373⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        374⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        375⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        376⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        377⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        378⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        379⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        380⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        381⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        382⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        383⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        384⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        385⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        386⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        387⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        388⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        389⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        390⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        391⤵
        Adds Run key to start application
        
        PID:8472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        392⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        393⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        394⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        395⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        396⤵
        Drops file in System32 directory
        
        PID:8512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        397⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        398⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        399⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        400⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        401⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        402⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        403⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        404⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        405⤵
        Adds Run key to start application
        
        PID:8584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        406⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        407⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        408⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        409⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        410⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        411⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        412⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        413⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        414⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        415⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        416⤵
        Adds Run key to start application
        
        PID:8672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        417⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        418⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        419⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        420⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        421⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        422⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        423⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        424⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        425⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        426⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        427⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        428⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        429⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        430⤵
        Adds Run key to start application
        
        PID:8784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        431⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        432⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        433⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        434⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        435⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        436⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        437⤵
        Drops file in System32 directory
        
        PID:8840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        438⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        439⤵
        Drops file in System32 directory
        
        PID:8856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        440⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        441⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        442⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        443⤵
        Adds Run key to start application
        
        PID:8888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        444⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        445⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        446⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        447⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        448⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        449⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        450⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        451⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        452⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        453⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        454⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        455⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        456⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        457⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        458⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        459⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        460⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        461⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        462⤵
        Drops file in System32 directory
        
        PID:9040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        463⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        464⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        465⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        466⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        467⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        468⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        469⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        470⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        471⤵
        Adds Run key to start application
        
        PID:9112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        472⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        473⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        474⤵
        Adds Run key to start application
        
        PID:9136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        475⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        476⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        477⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        478⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        479⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        480⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        481⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        482⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        483⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        484⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        485⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        486⤵
        
        PID:9228

C:\Windows\SysWOW64\PurpleMood.scr
C:\Windows\system32\PurpleMood.scr
1⤵
- Drops file in System32 directory
PID:9236
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  PID:9244
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    PID:9252
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      PID:9260
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        
        PID:9268
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Adds Run key to start application
        
        PID:9340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Drops file in System32 directory
        
        PID:9348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        Drops file in System32 directory
        
        PID:9436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        Drops file in System32 directory
        
        PID:9588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        Adds Run key to start application
        
        PID:9620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        
        PID:9644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
e6f96131c2febd74e049d41b70a4a4ed

SHA1
c37d29ab2f0ff5c251a60efde85618ed2d6c58ff

SHA256
b1ffdbdfb98db7a0ddd75fd5701c9bf925add00cc9061c9917abf0197001442c

SHA512
8e64a71f4178056330dc1d43f535db64d93c2d783a66d9c3b84e223ab281047c411def080344af8f6e966b8080ec71dce1a3fa76c24e58141d41a441163ce84c

Download Submit
memory/392-240-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/428-202-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/452-224-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/520-172-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/552-190-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/560-167-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/560-168-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/624-242-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-182-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/724-230-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/796-186-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/888-233-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/960-199-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/976-197-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1000-239-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1072-222-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1100-170-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1240-213-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1256-216-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1256-215-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1260-160-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1260-161-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1284-229-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1284-225-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1284-227-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1324-211-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1344-244-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1364-243-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1380-235-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1456-238-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1496-204-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1512-187-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1512-189-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1528-231-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1540-177-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1540-175-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1540-173-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1552-183-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1572-209-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1572-208-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1612-236-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1624-195-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1628-232-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1632-159-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1632-157-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1632-156-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1652-179-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1692-237-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1712-203-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1716-200-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1728-163-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1728-164-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1736-234-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1772-185-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1788-180-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1820-193-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1868-245-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1872-206-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1952-241-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1960-192-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1972-221-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2028-166-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2040-219-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2040-217-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download