79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
148s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
Size

7KB
MD5

cf449b9fd99f5da93cbb91c84e64e710
SHA1

3cdef0031a939b31cb4b9a6ad1bf9ca88a155751
SHA256

087300bc42aa885c126aa1771a2f80691399efae7543a8f493f5059548163957
SHA512

24bbe2217b79f6e920d75ca986bce35c9daad0558205324f6470292629ac3431a2f2f0a85567bd87d022ac00625dac1d2e46e004fd2a8e9e4403e3e53073705f
SSDEEP

96:Ge32tdsBxRlRIWb9pXc1eG6PcGma1JIwIdzwzc:GjdsXyWb9pkeG7yJIwczw

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1228	PurpleMood.scr
3032	PurpleMood.scr
2140	PurpleMood.scr
3068	PurpleMood.scr
2596	PurpleMood.scr
1744	PurpleMood.scr
2792	PurpleMood.scr
2828	PurpleMood.scr
2784	PurpleMood.scr
2840	PurpleMood.scr
2368	PurpleMood.scr
628	PurpleMood.scr
2516	PurpleMood.scr
2564	PurpleMood.scr
928	PurpleMood.scr
1164	PurpleMood.scr
2552	PurpleMood.scr
2600	PurpleMood.scr
2948	PurpleMood.scr
2232	PurpleMood.scr
2432	PurpleMood.scr
2128	PurpleMood.scr
2640	PurpleMood.scr
936	PurpleMood.scr
1688	PurpleMood.scr
2468	PurpleMood.scr
2336	PurpleMood.scr
2320	PurpleMood.scr
2340	PurpleMood.scr
772	PurpleMood.scr
2360	PurpleMood.scr
2080	PurpleMood.scr
2588	PurpleMood.scr
1840	PurpleMood.scr
1940	PurpleMood.scr
676	PurpleMood.scr
1020	PurpleMood.scr
840	PurpleMood.scr
1964	PurpleMood.scr
584	PurpleMood.scr
1056	PurpleMood.scr
1132	PurpleMood.scr
1960	PurpleMood.scr
908	PurpleMood.scr
2100	PurpleMood.scr
1620	PurpleMood.scr
2708	PurpleMood.scr
1564	PurpleMood.scr
2472	PurpleMood.scr
2052	PurpleMood.scr
1608	PurpleMood.scr
1444	PurpleMood.scr
1748	PurpleMood.scr
1676	PurpleMood.scr
2720	PurpleMood.scr
2992	PurpleMood.scr
432	PurpleMood.scr
1112	PurpleMood.scr
576	PurpleMood.scr
768	PurpleMood.scr
2944	PurpleMood.scr
2248	PurpleMood.scr
880	PurpleMood.scr
1936	PurpleMood.scr

Loads dropped DLL 64 IoCs

pid	Process
2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
1228	PurpleMood.scr
1228	PurpleMood.scr
3032	PurpleMood.scr
3032	PurpleMood.scr
2140	PurpleMood.scr
2140	PurpleMood.scr
3068	PurpleMood.scr
3068	PurpleMood.scr
2596	PurpleMood.scr
2596	PurpleMood.scr
1744	PurpleMood.scr
1744	PurpleMood.scr
2792	PurpleMood.scr
2792	PurpleMood.scr
2828	PurpleMood.scr
2828	PurpleMood.scr
2784	PurpleMood.scr
2784	PurpleMood.scr
2840	PurpleMood.scr
2840	PurpleMood.scr
2368	PurpleMood.scr
2368	PurpleMood.scr
628	PurpleMood.scr
628	PurpleMood.scr
2516	PurpleMood.scr
2516	PurpleMood.scr
2564	PurpleMood.scr
2564	PurpleMood.scr
928	PurpleMood.scr
928	PurpleMood.scr
1164	PurpleMood.scr
1164	PurpleMood.scr
2552	PurpleMood.scr
2552	PurpleMood.scr
2600	PurpleMood.scr
2600	PurpleMood.scr
2948	PurpleMood.scr
2948	PurpleMood.scr
2232	PurpleMood.scr
2232	PurpleMood.scr
2432	PurpleMood.scr
2432	PurpleMood.scr
2128	PurpleMood.scr
2128	PurpleMood.scr
2640	PurpleMood.scr
2640	PurpleMood.scr
936	PurpleMood.scr
936	PurpleMood.scr
1688	PurpleMood.scr
1688	PurpleMood.scr
2468	PurpleMood.scr
2468	PurpleMood.scr
2336	PurpleMood.scr
2336	PurpleMood.scr
2320	PurpleMood.scr
2320	PurpleMood.scr
2340	PurpleMood.scr
2340	PurpleMood.scr
772	PurpleMood.scr
772	PurpleMood.scr
2360	PurpleMood.scr
2360	PurpleMood.scr

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PurpleMood = "C:\\Windows\\system32\\PurpleMood.scr"	PurpleMood.scr

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	Process not Found
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr
File created	C:\Windows\SysWOW64\PurpleMood.scr	PurpleMood.scr

Program crash 64 IoCs

pid	pid_target	Process	procid_target
9092	2152	WerFault.exe	29
9108	1228	WerFault.exe	30
9140	3032	WerFault.exe	31
9172	2140	WerFault.exe	32
9200	3068	WerFault.exe	33
9208	2596	WerFault.exe	34
9236	1744	WerFault.exe	35
9308	2828	WerFault.exe	37
9324	2840	WerFault.exe	39
9332	2784	WerFault.exe	38
9292	2792	WerFault.exe	36
9428	2368	WerFault.exe	40
9436	628	WerFault.exe	41
9468	2564	WerFault.exe	43
9496	2516	WerFault.exe	42
9528	928	WerFault.exe	44
9552	1164	WerFault.exe	45
9580	2552	WerFault.exe	46
9620	2232	WerFault.exe	49
9684	2948	WerFault.exe	48
9716	2432	WerFault.exe	50
9724	2640	WerFault.exe	52
9764	2468	WerFault.exe	55
9756	936	WerFault.exe	53
9748	2600	WerFault.exe	47
9732	2128	WerFault.exe	51
9784	1688	WerFault.exe	54
9856	2336	WerFault.exe	56
9824	2320	WerFault.exe	57
9928	2340	WerFault.exe	58
9920	772	WerFault.exe	59
9992	2360	WerFault.exe	60
9984	2080	WerFault.exe	61
10008	2588	WerFault.exe	62
10044	840	WerFault.exe	67
10036	676	WerFault.exe	65
10028	1840	WerFault.exe	63
10052	1940	WerFault.exe	64
10100	1132	WerFault.exe	71
10108	1964	WerFault.exe	68
10092	584	WerFault.exe	69
10072	1020	WerFault.exe	66
10120	908	WerFault.exe	73
10136	1056	WerFault.exe	70
10168	1620	WerFault.exe	75
10216	1960	WerFault.exe	72
10224	1564	WerFault.exe	77
10232	2708	WerFault.exe	76
9156	2100	WerFault.exe	74
9224	2472	WerFault.exe	78
9360	1444	WerFault.exe	81
9512	2052	WerFault.exe	79
9612	1608	WerFault.exe	80
9776	2720	WerFault.exe	84
9052	1748	WerFault.exe	82
10176	1676	WerFault.exe	83
10192	2992	WerFault.exe	85
10256	432	WerFault.exe	86
10336	576	Process not Found	88
10360	1112	Process not Found	87
10400	2248	Process not Found	91
10412	2944	Process not Found	90
10444	1508	Process not Found	94
10428	880	Process not Found	92

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurpleMood.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1228	2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe	30
PID 2152 wrote to memory of 1228	2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe	30
PID 2152 wrote to memory of 1228	2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe	30
PID 2152 wrote to memory of 1228	2152	virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe	30
PID 1228 wrote to memory of 3032	1228	PurpleMood.scr	31
PID 1228 wrote to memory of 3032	1228	PurpleMood.scr	31
PID 1228 wrote to memory of 3032	1228	PurpleMood.scr	31
PID 1228 wrote to memory of 3032	1228	PurpleMood.scr	31
PID 3032 wrote to memory of 2140	3032	PurpleMood.scr	32
PID 3032 wrote to memory of 2140	3032	PurpleMood.scr	32
PID 3032 wrote to memory of 2140	3032	PurpleMood.scr	32
PID 3032 wrote to memory of 2140	3032	PurpleMood.scr	32
PID 2140 wrote to memory of 3068	2140	PurpleMood.scr	33
PID 2140 wrote to memory of 3068	2140	PurpleMood.scr	33
PID 2140 wrote to memory of 3068	2140	PurpleMood.scr	33
PID 2140 wrote to memory of 3068	2140	PurpleMood.scr	33
PID 3068 wrote to memory of 2596	3068	PurpleMood.scr	34
PID 3068 wrote to memory of 2596	3068	PurpleMood.scr	34
PID 3068 wrote to memory of 2596	3068	PurpleMood.scr	34
PID 3068 wrote to memory of 2596	3068	PurpleMood.scr	34
PID 2596 wrote to memory of 1744	2596	PurpleMood.scr	35
PID 2596 wrote to memory of 1744	2596	PurpleMood.scr	35
PID 2596 wrote to memory of 1744	2596	PurpleMood.scr	35
PID 2596 wrote to memory of 1744	2596	PurpleMood.scr	35
PID 1744 wrote to memory of 2792	1744	PurpleMood.scr	36
PID 1744 wrote to memory of 2792	1744	PurpleMood.scr	36
PID 1744 wrote to memory of 2792	1744	PurpleMood.scr	36
PID 1744 wrote to memory of 2792	1744	PurpleMood.scr	36
PID 2792 wrote to memory of 2828	2792	PurpleMood.scr	37
PID 2792 wrote to memory of 2828	2792	PurpleMood.scr	37
PID 2792 wrote to memory of 2828	2792	PurpleMood.scr	37
PID 2792 wrote to memory of 2828	2792	PurpleMood.scr	37
PID 2828 wrote to memory of 2784	2828	PurpleMood.scr	38
PID 2828 wrote to memory of 2784	2828	PurpleMood.scr	38
PID 2828 wrote to memory of 2784	2828	PurpleMood.scr	38
PID 2828 wrote to memory of 2784	2828	PurpleMood.scr	38
PID 2784 wrote to memory of 2840	2784	PurpleMood.scr	39
PID 2784 wrote to memory of 2840	2784	PurpleMood.scr	39
PID 2784 wrote to memory of 2840	2784	PurpleMood.scr	39
PID 2784 wrote to memory of 2840	2784	PurpleMood.scr	39
PID 2840 wrote to memory of 2368	2840	PurpleMood.scr	40
PID 2840 wrote to memory of 2368	2840	PurpleMood.scr	40
PID 2840 wrote to memory of 2368	2840	PurpleMood.scr	40
PID 2840 wrote to memory of 2368	2840	PurpleMood.scr	40
PID 2368 wrote to memory of 628	2368	PurpleMood.scr	41
PID 2368 wrote to memory of 628	2368	PurpleMood.scr	41
PID 2368 wrote to memory of 628	2368	PurpleMood.scr	41
PID 2368 wrote to memory of 628	2368	PurpleMood.scr	41
PID 628 wrote to memory of 2516	628	PurpleMood.scr	42
PID 628 wrote to memory of 2516	628	PurpleMood.scr	42
PID 628 wrote to memory of 2516	628	PurpleMood.scr	42
PID 628 wrote to memory of 2516	628	PurpleMood.scr	42
PID 2516 wrote to memory of 2564	2516	PurpleMood.scr	43
PID 2516 wrote to memory of 2564	2516	PurpleMood.scr	43
PID 2516 wrote to memory of 2564	2516	PurpleMood.scr	43
PID 2516 wrote to memory of 2564	2516	PurpleMood.scr	43
PID 2564 wrote to memory of 928	2564	PurpleMood.scr	44
PID 2564 wrote to memory of 928	2564	PurpleMood.scr	44
PID 2564 wrote to memory of 928	2564	PurpleMood.scr	44
PID 2564 wrote to memory of 928	2564	PurpleMood.scr	44
PID 928 wrote to memory of 1164	928	PurpleMood.scr	45
PID 928 wrote to memory of 1164	928	PurpleMood.scr	45
PID 928 wrote to memory of 1164	928	PurpleMood.scr	45
PID 928 wrote to memory of 1164	928	PurpleMood.scr	45

C:\Users\Admin\AppData\Local\Temp\virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\PurpleMood.scr
  C:\Windows\system32\PurpleMood.scr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\PurpleMood.scr
    C:\Windows\system32\PurpleMood.scr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\PurpleMood.scr
      C:\Windows\system32\PurpleMood.scr
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        33⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        34⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        35⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        37⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        38⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        39⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        40⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        41⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        42⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        45⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        46⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        47⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        48⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        49⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        50⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        52⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        53⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        55⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        56⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        58⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        60⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        61⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        62⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        63⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        64⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        65⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        66⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        67⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        68⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        69⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        70⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        71⤵
        Adds Run key to start application
        
        PID:2892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        72⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        73⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        74⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        75⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        76⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        77⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        78⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        79⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        80⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        81⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        82⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        83⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        84⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        85⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        86⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        87⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        88⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        89⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        90⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        91⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        92⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        93⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        94⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        95⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        96⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        97⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        98⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        99⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        100⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        101⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        102⤵
        Adds Run key to start application
        
        PID:2616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        103⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        105⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        106⤵
        
        PID:884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        107⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        108⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        109⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        110⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        111⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        112⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        113⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        114⤵
        
        PID:956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        115⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        116⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        117⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        118⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        119⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        120⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        121⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        122⤵
        
        PID:236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        123⤵
        
        PID:532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        124⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        125⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        126⤵
        
        PID:692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        127⤵
        Adds Run key to start application
        
        PID:1820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        128⤵
        
        PID:872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        129⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        130⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        131⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        132⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        133⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        134⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        135⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        136⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        137⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        138⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        139⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        140⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        141⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        142⤵
        
        PID:324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        143⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        144⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        145⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        146⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        147⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        148⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        149⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        150⤵
        
        PID:472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        151⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        152⤵
        Adds Run key to start application
        
        PID:1984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        153⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        154⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        155⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        156⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        158⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        159⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        160⤵
        
        PID:588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        161⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        162⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        163⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        164⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        165⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        166⤵
        Adds Run key to start application
        
        PID:1472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        167⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        168⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        169⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        170⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        172⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        173⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        174⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        175⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        176⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        177⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        178⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        179⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        180⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        181⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        182⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        183⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        184⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        185⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        186⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        187⤵
        Adds Run key to start application
        
        PID:3144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        188⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        189⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        190⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        191⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        192⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        193⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        194⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        195⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        196⤵
        Adds Run key to start application
        
        PID:3216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        197⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        198⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        199⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        200⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        201⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        202⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        203⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        204⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        205⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        206⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        207⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        209⤵
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        212⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        213⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        214⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        215⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        216⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        217⤵
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        218⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        219⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        220⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        222⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        223⤵
        Adds Run key to start application
        
        PID:3436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        224⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        225⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        226⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        227⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        228⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        229⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        230⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        231⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        232⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        233⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        234⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        236⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        237⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        238⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        239⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        240⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        241⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        242⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        243⤵
        Adds Run key to start application
        
        PID:3596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        244⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        245⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        246⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        247⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        248⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        249⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        250⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        251⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        252⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        253⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        254⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        255⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        256⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        257⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        258⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        259⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        260⤵
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        261⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        262⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        263⤵
        Adds Run key to start application
        
        PID:3760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        264⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        265⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        266⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        267⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        268⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        269⤵
        Adds Run key to start application
        
        PID:3812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        270⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        271⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        272⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        273⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        274⤵
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        275⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        277⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        278⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        279⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        280⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        281⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        282⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        283⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        284⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        285⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        286⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        287⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        288⤵
        Adds Run key to start application
        
        PID:3964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        289⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        290⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        291⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        292⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        293⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        294⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        295⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        296⤵
        Adds Run key to start application
        
        PID:4028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        297⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        298⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        299⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        300⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        301⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        302⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        303⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        304⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        305⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        306⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        307⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        308⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        309⤵
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        310⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        311⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        312⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        313⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        314⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        315⤵
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        316⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        317⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        318⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        319⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        320⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        321⤵
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        323⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        325⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        326⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        327⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        328⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        329⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        330⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        331⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        332⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        334⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        336⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        338⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        339⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        340⤵
        Adds Run key to start application
        
        PID:4376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        341⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        342⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        343⤵
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        344⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        345⤵
        Adds Run key to start application
        
        PID:4416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        346⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        347⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        348⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        349⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        350⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        351⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        352⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        353⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        354⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        355⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        357⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        358⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        359⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        360⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        361⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        362⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        363⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        364⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        365⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        366⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        367⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        368⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        369⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        370⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        371⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        372⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        373⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        374⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        375⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        376⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        377⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        378⤵
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        379⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        380⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        381⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        382⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        383⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        385⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        386⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        387⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        388⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        389⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        390⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        391⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        392⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        393⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        394⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        395⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        396⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        397⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        398⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        399⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        400⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        401⤵
        Adds Run key to start application
        
        PID:4868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        402⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        403⤵
        Adds Run key to start application
        
        PID:4884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        404⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        405⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        406⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        407⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        408⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        409⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        410⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        411⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        412⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        413⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        414⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        415⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        416⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        417⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        418⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        419⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        420⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        421⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        422⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        423⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        424⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        425⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        426⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        427⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        428⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        429⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        430⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        431⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        432⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        433⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        434⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        435⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        436⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        437⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        438⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        439⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        440⤵
        Adds Run key to start application
        
        PID:5164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        441⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        442⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        443⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        444⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        445⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        446⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        447⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        448⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        449⤵
        Adds Run key to start application
        
        PID:5240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        450⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        451⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        452⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        453⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        454⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        455⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        456⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        457⤵
        Adds Run key to start application
        
        PID:5308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        458⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        459⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        460⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        461⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        462⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        463⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        464⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        465⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        466⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        467⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        468⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        469⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        470⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        471⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        472⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        473⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        474⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        475⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        476⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        477⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        478⤵
        Adds Run key to start application
        
        PID:5488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        479⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        480⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        481⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        482⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        483⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        484⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        485⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        486⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        487⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        488⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        489⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        490⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        491⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        492⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        493⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        494⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        495⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        496⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        497⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        498⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        499⤵
        Adds Run key to start application
        
        PID:5656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        500⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        501⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        502⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        503⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        504⤵
        Adds Run key to start application
        
        PID:5696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        505⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        506⤵
        Adds Run key to start application
        
        PID:5712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        507⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        508⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        509⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        510⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        511⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        512⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        513⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        514⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        515⤵
        Adds Run key to start application
        
        PID:5788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        516⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        517⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        518⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        519⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        520⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        521⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        522⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        523⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        524⤵
        Adds Run key to start application
        
        PID:5860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        525⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        526⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        527⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        528⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        529⤵
        Adds Run key to start application
        
        PID:5900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        530⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        531⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        532⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        533⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        534⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        535⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        536⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        537⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        538⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        539⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        540⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        541⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        542⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        543⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        544⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        545⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        546⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        547⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        548⤵
        Adds Run key to start application
        
        PID:6052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        549⤵
        Adds Run key to start application
        
        PID:6060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        550⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        551⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        552⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        553⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        554⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        555⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        556⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        557⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        558⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        559⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        560⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        561⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        562⤵
        
        PID:920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        563⤵
        Adds Run key to start application
        
        PID:5720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        564⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        565⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        566⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        567⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        568⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        569⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        570⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        571⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        572⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        573⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        574⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        575⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        576⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        577⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        578⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        579⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        580⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        581⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        582⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        583⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        584⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        585⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        586⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        587⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        588⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        589⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        590⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        591⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        592⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        593⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        594⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        595⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        596⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        597⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        598⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        599⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        600⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        601⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        602⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        603⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        604⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        605⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        606⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        607⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        608⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        609⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        610⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        611⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        612⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        613⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        614⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        615⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        616⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        617⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        618⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        619⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        620⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        621⤵
        Adds Run key to start application
        
        PID:6612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        622⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        623⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        624⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        625⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        626⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        627⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        628⤵
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        629⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        630⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        631⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        632⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        633⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        634⤵
        Adds Run key to start application
        
        PID:6720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        635⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        636⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        637⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        638⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        639⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        640⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        641⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        642⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        643⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        644⤵
        System Location Discovery: System Language Discovery
        
        PID:6800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        645⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        646⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        647⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        648⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        649⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        650⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        651⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        652⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        653⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        654⤵
        Adds Run key to start application
        
        PID:6880
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        655⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        656⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        657⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        658⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        659⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        660⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        661⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        662⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        663⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        664⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        665⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        666⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        667⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        668⤵
        Adds Run key to start application
        
        PID:6992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        669⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        670⤵
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        671⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        672⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        673⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        674⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        675⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        676⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        677⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        678⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        679⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        680⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        681⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        682⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        683⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        684⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        685⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        686⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        687⤵
        Adds Run key to start application
        
        PID:7148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        688⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        689⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        690⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        691⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        692⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        693⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        694⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        695⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        696⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        697⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        698⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        699⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        700⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        701⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        702⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        703⤵
        Drops file in System32 directory
        
        PID:7268
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        704⤵
        System Location Discovery: System Language Discovery
        
        PID:7276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        705⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        706⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        707⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        708⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        709⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        710⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        711⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        712⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        713⤵
        Adds Run key to start application
        
        PID:7352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        714⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        715⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        716⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        717⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        718⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        719⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        720⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        721⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        722⤵
        Adds Run key to start application
        
        PID:7428
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        723⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        724⤵
        Adds Run key to start application
        
        PID:7444
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        725⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        726⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        727⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        728⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        729⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        730⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        731⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        732⤵
        System Location Discovery: System Language Discovery
        
        PID:7508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        733⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        734⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        735⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        736⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        737⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        738⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        739⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        740⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        741⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        742⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        743⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        744⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        745⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        746⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        747⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        748⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        749⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        750⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        751⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        752⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        753⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        754⤵
        Adds Run key to start application
        
        PID:7688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        755⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        756⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        757⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        758⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        759⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        760⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        761⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        762⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        763⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        764⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        765⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        766⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        767⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        768⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        769⤵
        Drops file in System32 directory
        
        PID:7812
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        770⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        771⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        772⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        773⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        774⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        775⤵
        System Location Discovery: System Language Discovery
        
        PID:7860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        776⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        777⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        778⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        779⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        780⤵
        Drops file in System32 directory
        
        PID:7900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        781⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        782⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        783⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        784⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        785⤵
        Adds Run key to start application
        
        PID:7940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        786⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        787⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        788⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        789⤵
        Drops file in System32 directory
        
        PID:7972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        790⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        791⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        792⤵
        Adds Run key to start application
        
        PID:8000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        793⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8008
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        794⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        795⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        796⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        797⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        798⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        799⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        800⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        801⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        802⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        803⤵
        System Location Discovery: System Language Discovery
        
        PID:8088
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        804⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        805⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        806⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        807⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        808⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        809⤵
        Adds Run key to start application
        
        PID:8136
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        810⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        811⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        812⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        813⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        814⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        815⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        816⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        817⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        818⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        819⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        820⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        821⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        822⤵
        Adds Run key to start application
        
        PID:8220
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        823⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        824⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        825⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        826⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        827⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        828⤵
        Adds Run key to start application
        
        PID:8272
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        829⤵
        Drops file in System32 directory
        
        PID:8280
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        830⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        831⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        832⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        833⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        834⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        835⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        836⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        837⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        838⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        839⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        840⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        841⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        842⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        843⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        844⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        845⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        846⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        847⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        848⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        849⤵
        Adds Run key to start application
        
        PID:8440
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        850⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        851⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        852⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        853⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        854⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        855⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        856⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        857⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        858⤵
        Drops file in System32 directory
        
        PID:8516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        859⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        860⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        861⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        862⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        863⤵
        Adds Run key to start application
        
        PID:8556
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        864⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        865⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        866⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        867⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        868⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        869⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        870⤵
        Adds Run key to start application
        
        PID:8612
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        871⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        872⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        873⤵
        System Location Discovery: System Language Discovery
        
        PID:8636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        874⤵
        System Location Discovery: System Language Discovery
        
        PID:8644
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        875⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        876⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        877⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        878⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        879⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        880⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        881⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        882⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        883⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        884⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        885⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        886⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        887⤵
        System Location Discovery: System Language Discovery
        
        PID:8752
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        888⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        889⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        890⤵
        Adds Run key to start application
        
        PID:8776
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        891⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        892⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        893⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        894⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        895⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        896⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        897⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        898⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        899⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        900⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        901⤵
        Adds Run key to start application
        
        PID:8868
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        902⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        903⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        904⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        905⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        906⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        907⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        908⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        909⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        910⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        911⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        912⤵
        Adds Run key to start application
        
        PID:8956
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        913⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        914⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        915⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        916⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        917⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        918⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        919⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        920⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        921⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        922⤵
        System Location Discovery: System Language Discovery
        
        PID:9036
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        923⤵
        System Location Discovery: System Language Discovery
        
        PID:9044
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        924⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        925⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        926⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        927⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        928⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        929⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        930⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        931⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        932⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        933⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        934⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        935⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        936⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        937⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        938⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        939⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        940⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9300
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        941⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        942⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        943⤵
        System Location Discovery: System Language Discovery
        
        PID:9364
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        944⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        945⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        946⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        947⤵
        Drops file in System32 directory
        
        PID:9516
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        948⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        949⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        950⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        951⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        952⤵
        Adds Run key to start application
        
        PID:9628
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        953⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        954⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        955⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        956⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        957⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        958⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        959⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        960⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        961⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        962⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        963⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        964⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        965⤵
        System Location Discovery: System Language Discovery
        
        PID:9820
        
        C:\Windows\SysWOW64\PurpleMood.scr
        
        C:\Windows\system32\PurpleMood.scr
        966⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 116
        59⤵
        Program crash
        
        PID:10256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 116
        58⤵
        Program crash
        
        PID:10192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 116
        57⤵
        Program crash
        
        PID:9776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 116
        56⤵
        Program crash
        
        PID:10176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 116
        55⤵
        Program crash
        
        PID:9052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 116
        54⤵
        Program crash
        
        PID:9360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 116
        53⤵
        Program crash
        
        PID:9612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 116
        52⤵
        Program crash
        
        PID:9512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 116
        51⤵
        Program crash
        
        PID:9224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 116
        50⤵
        Program crash
        
        PID:10224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 116
        49⤵
        Program crash
        
        PID:10232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 116
        48⤵
        Program crash
        
        PID:10168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 116
        47⤵
        Program crash
        
        PID:9156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 116
        46⤵
        Program crash
        
        PID:10120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 116
        45⤵
        Program crash
        
        PID:10216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 116
        44⤵
        Program crash
        
        PID:10100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 116
        43⤵
        Program crash
        
        PID:10136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 116
        42⤵
        Program crash
        
        PID:10092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 116
        41⤵
        Program crash
        
        PID:10108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 116
        40⤵
        Program crash
        
        PID:10044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 116
        39⤵
        Program crash
        
        PID:10072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 116
        38⤵
        Program crash
        
        PID:10036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 116
        37⤵
        Program crash
        
        PID:10052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 116
        36⤵
        Program crash
        
        PID:10028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 116
        35⤵
        Program crash
        
        PID:10008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 116
        34⤵
        Program crash
        
        PID:9984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 116
        33⤵
        Program crash
        
        PID:9992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 116
        32⤵
        Program crash
        
        PID:9920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 116
        31⤵
        Program crash
        
        PID:9928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 116
        30⤵
        Program crash
        
        PID:9824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 116
        29⤵
        Program crash
        
        PID:9856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 116
        28⤵
        Program crash
        
        PID:9764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 116
        27⤵
        Program crash
        
        PID:9784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 116
        26⤵
        Program crash
        
        PID:9756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 116
        25⤵
        Program crash
        
        PID:9724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 116
        24⤵
        Program crash
        
        PID:9732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 116
        23⤵
        Program crash
        
        PID:9716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 116
        22⤵
        Program crash
        
        PID:9620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 116
        21⤵
        Program crash
        
        PID:9684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 116
        20⤵
        Program crash
        
        PID:9748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 116
        19⤵
        Program crash
        
        PID:9580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 116
        18⤵
        Program crash
        
        PID:9552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 116
        17⤵
        Program crash
        
        PID:9528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 116
        16⤵
        Program crash
        
        PID:9468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 116
        15⤵
        Program crash
        
        PID:9496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 116
        14⤵
        Program crash
        
        PID:9436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 116
        13⤵
        Program crash
        
        PID:9428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 116
        12⤵
        Program crash
        
        PID:9324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 116
        11⤵
        Program crash
        
        PID:9332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 116
        10⤵
        Program crash
        
        PID:9308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 116
        9⤵
        Program crash
        
        PID:9292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 116
        8⤵
        Program crash
        
        PID:9236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 116
        7⤵
        Program crash
        
        PID:9208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 116
        6⤵
        Program crash
        
        PID:9200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 116
        5⤵
        Program crash
        
        PID:9172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 116
      4⤵
      Program crash
      PID:9140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 116
    3⤵
    - Program crash
    PID:9108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 116
  2⤵
  - Program crash
  PID:9092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PurpleMood.scr

Filesize
7KB

MD5
3e1b556e439abe05031cdd28ed57f39c

SHA1
740d5258af5467bf0649c27a2943ba6891ec65d6

SHA256
2af9c0e47ffc22302c73d528fe2d9f13cc12a206ccb2b55999accea521f997b7

SHA512
f80df7f380439aeebdb2d83bae3c9ec579dffb974486e9f6c13b0f315ac4030ffe46da4b5c6073172da1d4d7aefa2cbfcef61012875c793025730bb907aebcb9

Download Submit
memory/584-160-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/584-164-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/584-161-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/628-86-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/676-157-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/772-143-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/772-148-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/772-149-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/840-162-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/928-101-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/936-135-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/936-127-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1020-159-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1164-107-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1164-104-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1228-38-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1228-31-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1228-40-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1228-18-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1228-10-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1228-13-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1688-138-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1688-139-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1688-137-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1688-130-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1744-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1744-43-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1840-154-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1940-152-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1940-155-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1940-156-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1964-163-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1964-158-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2080-151-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2128-129-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2128-121-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2128-131-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2140-48-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2140-45-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2152-9-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2152-27-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2152-30-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2152-29-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2152-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2232-113-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2232-125-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2232-123-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2232-124-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2320-144-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2320-145-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2320-140-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2336-142-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2336-136-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2340-146-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2340-147-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2360-150-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2368-81-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2368-84-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2432-128-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2432-116-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2432-118-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2468-141-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2468-133-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2516-90-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2516-79-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/2516-93-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/2552-115-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2552-97-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2552-112-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2564-99-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2564-94-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2588-153-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2596-37-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2596-36-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2596-57-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2596-56-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2600-119-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2600-117-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2640-126-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2640-132-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2640-134-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2784-71-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2784-61-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2792-64-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2828-69-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2840-65-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2840-75-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2948-120-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2948-108-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2948-122-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/3032-41-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/3032-20-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/3032-21-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/3032-19-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3068-54-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/3068-49-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads