Malware Analysis Report

2025-01-22 20:47

Sample ID 241202-26h1vaxpew
Target Conti Builder.rar
SHA256 44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743
Tags
conti discovery execution ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743

Threat Level: Known bad

The file Conti Builder.rar was found to be: Known bad.

Malicious Activity Summary

conti discovery execution ransomware upx

Conti Ransomware

Conti family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 23:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 23:11

Reported

2024-12-02 23:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 23:11

Reported

2024-12-02 23:28

Platform

win10v2004-20241007-en

Max time kernel

423s

Max time network

424s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"

Signatures

Conti Ransomware

ransomware conti

Conti family

conti

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 2016 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 2016 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 4956 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 4956 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 4076 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 4164 wrote to memory of 2992 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp
PID 372 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 372 wrote to memory of 1824 N/A C:\Users\Admin\Desktop\Conti Builder\builder.exe \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp
PID 1824 wrote to memory of 2128 N/A \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2128 N/A \??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Conti Builder\builder.exe

"C:\Users\Admin\Desktop\Conti Builder\builder.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force

\??\c:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp

"C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"

\??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp

"C:\Users\Admin\Desktop\Conti Builder\builder.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Conti Builder\HOW_TO_USE.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Conti Builder\readme.txt

C:\Users\Admin\Desktop\Conti Builder\builder.exe

"C:\Users\Admin\Desktop\Conti Builder\builder.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force

\??\c:\Users\Admin\AppData\Local\Temp\70B.builder.tmp

"C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"

\??\c:\Users\Admin\AppData\Local\Temp\0C9.builder.tmp

"C:\Users\Admin\Desktop\Conti Builder\builder.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Conti Builder\HOW_TO_USE.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4164-14-0x0000000140000000-0x00000001400D0000-memory.dmp

C:\Users\Admin\Desktop\Conti Builder\builder.exe

MD5 6756f218846f5c89a04906c06220d990
SHA1 e7d78f8eca9152b319bc58a3b030613046951792
SHA256 024278719c6a8ed270e5c2ee6813dcfbc9ae76fffc18a9a5ef17e9549fa5d402
SHA512 1d2cf61fde9fed4b73dac51bd08b3b612d66b0fc7504cb31cc3a8a163075d13744461260b11c3929527aa3844d8220278351bb6f220d376d0ab0d8c9e00d5750

memory/4164-17-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4164-16-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4164-18-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4164-20-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4164-19-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4164-15-0x00007FFFCC12D000-0x00007FFFCC12E000-memory.dmp

memory/2016-30-0x0000029548C70000-0x0000029548C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjtfs1ee.jv0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\0AE.builder.tmp

MD5 8fd1d495b09695f4fb95638213559464
SHA1 8525bec9fcc14bfb53145f339b5498c7d5948563
SHA256 21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2
SHA512 80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4

memory/4164-55-0x0000000004870000-0x0000000004EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9A.builder.tmp

MD5 86d23632843c402a3a34828bb99317c9
SHA1 ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256 eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA512 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

memory/4076-57-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4076-64-0x0000000140000000-0x0000000140641000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\593.builder.tmp

MD5 30a8ae6901329419008872edd298542a
SHA1 803a4c0d96ff6e5bcf5d0880f02c6df6bf0e03e6
SHA256 f8afd0ba8f7cee077edf6dde24443b1e5cc27ea2864c3b9604a1d37380095ebf
SHA512 ca3bdc79a788db16be04f3dbbb33b14c51e8c8bbda7a93341b9361284ba91ceb7103b60fe1eb7b0cb14d8ded2f212653d55ceb580bd8fe4e709d583b184bd353

memory/2992-69-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/4164-72-0x00007FFFCC090000-0x00007FFFCC285000-memory.dmp

memory/4076-74-0x0000000140000000-0x0000000140641000-memory.dmp

memory/4164-71-0x0000000140000000-0x00000001400D0000-memory.dmp

memory/2992-67-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2992-75-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2992-76-0x0000000000400000-0x00000000004AE000-memory.dmp

C:\Users\Admin\Desktop\Conti Builder\HOW_TO_USE.txt

MD5 13513f2770bfe38e800fae2f01abb7e8
SHA1 46e0f70b51245c2a2c47a419c446e6334f41aefb
SHA256 9c49ca9c51126f4edc977bc045f69c8aada0afc7aeed9a910733f828f117240c
SHA512 9e9e810e01b392e1c861ac9871a23c2272c0ea4178f1e8f032632ba3a4103b274d56d22a7ffd2bd53298b47f6c7a7b22aea30fa5208917ae5e184729357ad43d

C:\Users\Admin\Desktop\Conti Builder\readme.txt

MD5 0e774d58848a5231d720857a6fd0720e
SHA1 cdd80f37cdf50706c587ff58ad852fda95356565
SHA256 6116cf3598e6ca1ad167ed370d05f2f08f05bc04f0a5d64e2f19c0b488a3359b
SHA512 587441347f950cc709cd1ed169e27c04e383bb905a01185f87853cf5a2a41ba8ae7af6a3fcb3a673e0af718707c9705a16ba9b7b0678d27300ae74b6259dbc96

memory/372-80-0x0000000140000000-0x00000001400D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

memory/372-113-0x0000000004890000-0x0000000004ED1000-memory.dmp

memory/372-127-0x0000000140000000-0x00000001400D0000-memory.dmp

memory/1772-134-0x0000000140000000-0x0000000140641000-memory.dmp

memory/1824-135-0x0000000000400000-0x00000000004AE000-memory.dmp