conti | 44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743

Analysis

max time kernel
445s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Conti Builder.rar
Size

2.4MB
MD5

476b3969ddbb75be5174b64bdc2cdb07
SHA1

87ac2b436f1ea207b5f35aa84d4fc348df8c77e3
SHA256

44eaa6185d082fd3273b6b8c267935e2253bbe9acd345a7ef492d98112042743
SHA512

cf4eeeeaee09d2fcedc998fbcf96dc316eef5eef55f2e122af3f17caf6cf90ead465b08051ec7460a39761da5fb6a042b1bc4ef717c0c555aedcf10f06df0b7f
SSDEEP

49152:Jo+Oa8B53MBcRX9WOQ9csYYEyHsdzEB7qGzkMj8zgoKSGWzgbanPNkIAm:QB5UeAr9cIEyHsdAkGX3S0w1kRm

Score

10^/10

conti discovery execution ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt

Ransom Note

-------- OVERVIEW -------- Known for its speed of delivery, remote operation, Conti ransomware is an encryption tool designed to block access to a computer system or data until a ransom is paid. It typically works by encrypting the victim's files or locking the operating system, rendering the data or system unusable. The attackers then demand a ransom, usually in cryptocurrency like Bitcoin, to provide a decryption key or unlock the system. Once the data is encrypted, the ransomware displays a message informing the victim of the attack and instructing them on how to pay the ransom to regain access to their files. ------------ INSTRUCTIONS ------------ Open "readme.txt" and input your tor details, providing instructions for victims on how to contact you to recover their encrypted files. Finally run "builder builder_output" then navigate to the "builder_output" folder and you will see "_locker.ex_" rename it, crypt file then send to victim

Extracted

Path

C:\Users\Admin\Desktop\Conti Builder\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt #__FILE_COUNT__# random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://#__TOR_URL__# HTTPS VERSION : https://#__HTTPS_URL__# YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- #__BASE64_ENCODED_STRING__# ---END ID---

URLs

http://#__TOR_URL__#

https://#__HTTPS_URL__#

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Conti family
conti

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2928	powershell.exe
3744	powershell.exe
3904	powershell.exe
2492	powershell.exe
4748	powershell.exe
1396	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	builder.exe

Executes dropped EXE 9 IoCs

pid	Process
4328	builder.exe
4372	3FA.builder.tmp
4792	8FA.builder.tmp
4052	builder.exe
3776	2EA.builder.tmp
2680	4D7.builder.tmp
5080	builder.exe
2168	4CC.builder.tmp
1972	B4C.builder.tmp

Loads dropped DLL 3 IoCs

pid	Process
4328	builder.exe
4052	builder.exe
5080	builder.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 4372	4328	builder.exe	106
PID 4328 set thread context of 4792	4328	builder.exe	107
PID 4052 set thread context of 3776	4052	builder.exe	122
PID 4052 set thread context of 2680	4052	builder.exe	123
PID 5080 set thread context of 2168	5080	builder.exe	131
PID 5080 set thread context of 1972	5080	builder.exe	132

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-70-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/4792-77-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/2680-199-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/1972-200-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/2680-202-0x0000000000400000-0x00000000004AE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8FA.builder.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4D7.builder.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B4C.builder.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2928	powershell.exe
3744	powershell.exe
3744	powershell.exe
2928	powershell.exe
4372	3FA.builder.tmp
4372	3FA.builder.tmp
4372	3FA.builder.tmp
4372	3FA.builder.tmp
4372	3FA.builder.tmp
4372	3FA.builder.tmp
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
3904	powershell.exe
3904	powershell.exe
2492	powershell.exe
2492	powershell.exe
3776	2EA.builder.tmp
3776	2EA.builder.tmp
3776	2EA.builder.tmp
3776	2EA.builder.tmp
3776	2EA.builder.tmp
3776	2EA.builder.tmp
4748	powershell.exe
4748	powershell.exe
1396	powershell.exe
1396	powershell.exe
2168	4CC.builder.tmp
2168	4CC.builder.tmp
2168	4CC.builder.tmp
2168	4CC.builder.tmp
2168	4CC.builder.tmp
2168	4CC.builder.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4736	7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4736	7zFM.exe
Token: 35	4736	7zFM.exe
Token: SeSecurityPrivilege	4736	7zFM.exe
Token: SeSecurityPrivilege	4736	7zFM.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	4736	7zFM.exe
Token: SeSecurityPrivilege	4736	7zFM.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe
4736	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4328	builder.exe
4052	builder.exe
5080	builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4328	4736	7zFM.exe	95
PID 4736 wrote to memory of 4328	4736	7zFM.exe	95
PID 4328 wrote to memory of 2928	4328	builder.exe	98
PID 4328 wrote to memory of 2928	4328	builder.exe	98
PID 4328 wrote to memory of 3744	4328	builder.exe	100
PID 4328 wrote to memory of 3744	4328	builder.exe	100
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4372	4328	builder.exe	106
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4328 wrote to memory of 4792	4328	builder.exe	107
PID 4792 wrote to memory of 1656	4792	8FA.builder.tmp	109
PID 4792 wrote to memory of 1656	4792	8FA.builder.tmp	109
PID 4792 wrote to memory of 1656	4792	8FA.builder.tmp	109
PID 4736 wrote to memory of 3016	4736	7zFM.exe	112
PID 4736 wrote to memory of 3016	4736	7zFM.exe	112
PID 4052 wrote to memory of 3904	4052	builder.exe	118
PID 4052 wrote to memory of 3904	4052	builder.exe	118
PID 4052 wrote to memory of 2492	4052	builder.exe	120
PID 4052 wrote to memory of 2492	4052	builder.exe	120
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 3776	4052	builder.exe	122
PID 4052 wrote to memory of 2680	4052	builder.exe	123
PID 4052 wrote to memory of 2680	4052	builder.exe	123
PID 4052 wrote to memory of 2680	4052	builder.exe	123
PID 4052 wrote to memory of 2680	4052	builder.exe	123
PID 4052 wrote to memory of 2680	4052	builder.exe	123

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Conti Builder.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - \??\c:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp
    "C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder_conti_aes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - \??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp
    "C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      System Location Discovery: System Language Discovery
      PID:1656
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4348

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Conti Builder\readme.txt
1⤵
PID:1920

C:\Users\Admin\Desktop\Conti Builder\builder.exe
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- \??\c:\Users\Admin\AppData\Local\Temp\2EA.builder.tmp
  "C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3776
- \??\c:\Users\Admin\AppData\Local\Temp\4D7.builder.tmp
  "C:\Users\Admin\Desktop\Conti Builder\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    - System Location Discovery: System Language Discovery
    PID:384

C:\Users\Admin\Desktop\Conti Builder\builder.exe
"C:\Users\Admin\Desktop\Conti Builder\builder.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Conti Builder\builder.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- \??\c:\Users\Admin\AppData\Local\Temp\4CC.builder.tmp
  "C:\Users\Admin\Desktop\Conti Builder\builder_conti_aes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- \??\c:\Users\Admin\AppData\Local\Temp\B4C.builder.tmp
  "C:\Users\Admin\Desktop\Conti Builder\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA.builder.tmp

Filesize
1KB

MD5
86d23632843c402a3a34828bb99317c9

SHA1
ee7082dcee56cb61d0cae037078efb2a4b32eaae

SHA256
eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

SHA512
9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08237DA7\builder.exe

Filesize
3.0MB

MD5
6756f218846f5c89a04906c06220d990

SHA1
e7d78f8eca9152b319bc58a3b030613046951792

SHA256
024278719c6a8ed270e5c2ee6813dcfbc9ae76fffc18a9a5ef17e9549fa5d402

SHA512
1d2cf61fde9fed4b73dac51bd08b3b612d66b0fc7504cb31cc3a8a163075d13744461260b11c3929527aa3844d8220278351bb6f220d376d0ab0d8c9e00d5750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO082F98E7\HOW_TO_USE.txt

Filesize
979B

MD5
13513f2770bfe38e800fae2f01abb7e8

SHA1
46e0f70b51245c2a2c47a419c446e6334f41aefb

SHA256
9c49ca9c51126f4edc977bc045f69c8aada0afc7aeed9a910733f828f117240c

SHA512
9e9e810e01b392e1c861ac9871a23c2272c0ea4178f1e8f032632ba3a4103b274d56d22a7ffd2bd53298b47f6c7a7b22aea30fa5208917ae5e184729357ad43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CA.builder.tmp

Filesize
1KB

MD5
8fd1d495b09695f4fb95638213559464

SHA1
8525bec9fcc14bfb53145f339b5498c7d5948563

SHA256
21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2

SHA512
80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4bgdxc5.i5m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Conti Builder\readme.txt

Filesize
1KB

MD5
0e774d58848a5231d720857a6fd0720e

SHA1
cdd80f37cdf50706c587ff58ad852fda95356565

SHA256
6116cf3598e6ca1ad167ed370d05f2f08f05bc04f0a5d64e2f19c0b488a3359b

SHA512
587441347f950cc709cd1ed169e27c04e383bb905a01185f87853cf5a2a41ba8ae7af6a3fcb3a673e0af718707c9705a16ba9b7b0678d27300ae74b6259dbc96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8FA.builder.tmp

Filesize
1KB

MD5
30a8ae6901329419008872edd298542a

SHA1
803a4c0d96ff6e5bcf5d0880f02c6df6bf0e03e6

SHA256
f8afd0ba8f7cee077edf6dde24443b1e5cc27ea2864c3b9604a1d37380095ebf

SHA512
ca3bdc79a788db16be04f3dbbb33b14c51e8c8bbda7a93341b9361284ba91ceb7103b60fe1eb7b0cb14d8ded2f212653d55ceb580bd8fe4e709d583b184bd353

Download Submit
memory/1972-200-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2168-194-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/2680-199-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-202-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2928-29-0x00000141587E0000-0x0000014158802000-memory.dmp

Filesize
136KB

Download
memory/3776-140-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/4052-138-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4052-91-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4052-124-0x0000000004880000-0x0000000004EC1000-memory.dmp

Filesize
6.3MB

Download
memory/4328-48-0x0000000004870000-0x0000000004EB1000-memory.dmp

Filesize
6.3MB

Download
memory/4328-68-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4328-69-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

Filesize
2.0MB

Download
memory/4328-16-0x00007FFDE212D000-0x00007FFDE212E000-memory.dmp

Filesize
4KB

Download
memory/4328-19-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

Filesize
2.0MB

Download
memory/4328-15-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4328-30-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

Filesize
2.0MB

Download
memory/4328-17-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

Filesize
2.0MB

Download
memory/4328-18-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

Filesize
2.0MB

Download
memory/4372-72-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/4372-66-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/4372-55-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/4792-77-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4792-64-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/4792-70-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/5080-192-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/5080-146-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download