Malware Analysis Report

2025-08-05 09:09

Sample ID 240325-bzjqpafc81
Target 3de482d7dcd58f07bb3fc5a5081a0b84.bin
SHA256 f1fb2f1c3879f533b100bc0a665854d80fe69bdf408b57f5885813c518a0aad5
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1fb2f1c3879f533b100bc0a665854d80fe69bdf408b57f5885813c518a0aad5

Threat Level: Known bad

The file 3de482d7dcd58f07bb3fc5a5081a0b84.bin was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Detect Socks5Systemz Payload

Socks5Systemz

Loads dropped DLL

Unexpected DNS network traffic destination

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:34

Reported

2024-03-25 01:37

Platform

win7-20240221-en

Max time kernel

146s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 2668 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 2668 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe

"C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp" /SL5="$70120,1781274,54272,C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s

Network

Country Destination Domain Proto
HK 141.98.234.31:53 bwesuwu.com udp
MD 45.142.214.240:80 bwesuwu.com tcp

Files

memory/1712-1-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TRE7J.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp

MD5 bb16a1aed23a42be299fa83942dc45cc
SHA1 eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba
SHA256 2fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df
SHA512 bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4

memory/2668-9-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BQVB4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-BQVB4.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 eec81ede91125cd4bf3fadf8f711590d
SHA1 1bc274bca5452956095cbb483fc34f935ff449bb
SHA256 25b526850567d73d8180b701cef40b43fa77ee50704a17c595ace70307e40685
SHA512 c2ca359f524cdd9dfd1cf7c54743d17a6b1443077e69733de70acf0edf10f64c714d97e3dfd711d9369f8b458123332713e007abd174d6dfed7a3b1c557eaddd

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 9a4ed86c8edebb91b25541a18aa33492
SHA1 3c62dd1b0c4fd2c16e5a4b4816b2dccb1520a3f6
SHA256 8129a4a3bd3c8a89febe09bb0afb325cf69cbdf9b4b9ae28b229d42aaf283036
SHA512 a79e9311ac6f66c3b6a03ec1a5336d430afd30627b5e6692dbc753e3309acf5dc764eb974e46b7fb79addcd25bdca23fc0edc3806016a6056a74e024a7a2b3ce

memory/2668-43-0x00000000032C0000-0x00000000034D1000-memory.dmp

memory/2584-44-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2584-45-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2584-48-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 15ca62e3cf98a130467961cdd316c67c
SHA1 62bd02b44699ba06d543348a049a70628e1246ce
SHA256 73b1454ddf3c36f32adba014ee4fb3ef80f758780954813b6aaf052db900ece3
SHA512 b7ee956d28fb08b7adf7454f507b760e337ef5043717be0ea9858943d6c22b583deb2eab2b31a451700737a78f54a292939c357379ff8b9a5b470aaf5bef8d3d

memory/2584-49-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 43b80fd1fe3bf06b40df1910897ef9d4
SHA1 8aaf63000bfefc8148da9061648cc7ecd54c0db5
SHA256 515765e0c9a34744caf080f083b27aa46d59c9c7e367ab16cee592269f94d0a1
SHA512 9fe34d78e87f0ee4948d7af9cd976797abe6fef5d4c12dba0a8cd4ace8b9d877e6687fdabebe9fed5d32876731c3dbb618953e70b04cd1772a882cd0754b2e3c

memory/2588-51-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-53-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2668-55-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1712-54-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2588-56-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2668-57-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2668-60-0x00000000032C0000-0x00000000034D1000-memory.dmp

memory/2588-61-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-64-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-65-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-68-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-71-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-74-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-75-0x0000000002540000-0x00000000025E2000-memory.dmp

memory/2588-81-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-84-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-87-0x0000000002540000-0x00000000025E2000-memory.dmp

memory/2588-88-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-91-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-94-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-97-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-101-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2588-104-0x0000000000400000-0x0000000000611000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 01:34

Reported

2024-03-25 01:37

Platform

win10v2004-20240319-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 3236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 3236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp
PID 1312 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1312 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1312 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1312 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1312 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe
PID 1312 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe

"C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp" /SL5="$601EC,1781274,54272,C:\Users\Admin\AppData\Local\Temp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.exe"

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -i

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

"C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3412 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
LT 91.211.247.248:53 csacpcy.net udp
MD 45.142.214.240:80 csacpcy.net tcp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
US 8.8.8.8:53 240.214.142.45.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/3236-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3236-2-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OO1ME.tmp\6d91c3bdc4c0d1a6001d34a62ad14fc497b44189aff21f5b63b4bb3d9dc360cd.tmp

MD5 bb16a1aed23a42be299fa83942dc45cc
SHA1 eef3b71f03f3ea6148a08bf4ba6d3bc2239a56ba
SHA256 2fbf5d1a94ff7aa773d0abe9e2216f0347f47083bf66632e516b9e59ede819df
SHA512 bd1c5cf999c8824946906a6242309b41e6bcc926733107e87787ecb70c4e4d78ae395fcc9033606a72f08fee98103957063b3a47cd74e9e395d77c75287fd0b4

memory/1312-7-0x0000000000760000-0x0000000000761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1C2GM.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 79af2edc7eea75db289d6375a8b62803
SHA1 60d8c8ab0a2c0f8a9c5652807aee07509d05ea4c
SHA256 e62dc8f2f795a665d5a247f20c15ff6d19637dc403dea506e54f1ad9e53522a7
SHA512 a3cb2e10cc806249a83991056cad643b7bef4e110333a69e3ab1ea7b5390f751b15f0a0ce7b71ed9533f0853b9eee253abbb198ea18c815bfc6322ff12684d8b

memory/2272-38-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2272-39-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Color Picker\colorpicker32.exe

MD5 0b20792abe21048cd21360dd176336b9
SHA1 7600286a1fb40729ec7f87161e9afc0d420d5f37
SHA256 f94ff415ed24572403c145bb89c31abb74d9aef2299da29c3534ffb229a31c10
SHA512 67c3817c39b73c9071b198b781f62e60758a54c6945108335db8873db621f681fbf231ec2408806cdb1e682c3024b343cea3d205e74902b17ba5e508388b72ca

memory/2272-42-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2272-43-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-46-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3236-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1312-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3288-49-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1312-50-0x0000000000760000-0x0000000000761000-memory.dmp

memory/3288-53-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-54-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-57-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-60-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-63-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-66-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-67-0x00000000008F0000-0x0000000000992000-memory.dmp

memory/3288-73-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-76-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-77-0x00000000008F0000-0x0000000000992000-memory.dmp

memory/3288-80-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-83-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-86-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-89-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-93-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3288-96-0x0000000000400000-0x0000000000611000-memory.dmp