Malware Analysis Report

2024-11-30 23:24

Sample ID 230909-qabfcabb9w
Target 1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
SHA256 1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1a
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1a

Threat Level: Known bad

The file 1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 13:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 13:03

Reported

2023-09-09 13:05

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

Signatures

SystemBC

trojan systembc

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

Network

N/A

Files

memory/3020-1-0x0000000074120000-0x000000007480E000-memory.dmp

memory/3020-0-0x0000000000BC0000-0x0000000000C04000-memory.dmp

memory/3020-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/3020-3-0x00000000009D0000-0x0000000000A12000-memory.dmp

memory/3020-4-0x0000000000B80000-0x0000000000B9A000-memory.dmp

memory/3020-5-0x00000000007A0000-0x00000000007A6000-memory.dmp

memory/2188-6-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2188-8-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2188-10-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2188-12-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2188-14-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2188-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3020-30-0x0000000074120000-0x000000007480E000-memory.dmp

memory/3020-31-0x0000000004BF0000-0x0000000004C30000-memory.dmp

memory/1356-32-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3020-35-0x0000000074120000-0x000000007480E000-memory.dmp

memory/1356-34-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1356-37-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-09 13:03

Reported

2023-09-09 13:05

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

Signatures

SystemBC

trojan systembc

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{DA1DFA57-C62F-436F-B8A2-901DAF186132}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe
PID 3360 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\1cbc0bf41dc39d3966a1c38bd778cc9952994fb4e069101143d7a0a822e5ff1aexe_JC.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3360-0-0x0000000000860000-0x00000000008A4000-memory.dmp

memory/3360-1-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3360-2-0x00000000055C0000-0x0000000005B64000-memory.dmp

memory/3360-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp

memory/3360-4-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3360-5-0x0000000004E50000-0x0000000004E5A000-memory.dmp

memory/3360-6-0x0000000005520000-0x00000000055BC000-memory.dmp

memory/3360-7-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3360-8-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3360-9-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3360-11-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsuDA81.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 417c75b233b3d8f5535d3eef756a8e30
SHA1 c186f8578b9fcd10d50b201785369695c7fdbd0d
SHA256 a78d725b957c2776ae38cc4dfa10dafa795193c8015a7c064c178c557d52fcaa
SHA512 b03fe9049b47e1bbf770b7e00566c3bd92f8a54226900f2767719fa8c097b7c266b56215da3310d32f137d4128249d24774f7e57130e89cd9af467b4d2550dd2

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 ec973e887d677955153c2e17a1c6d702
SHA1 516ce396900f0036d6d045de7d768beb9623e9e6
SHA256 284082e838ef43811b29cdc9b84b494671f4886354a58703a2205216e1525bc5
SHA512 fdda8249283840dfaac477b6dd93054c55191f07776dd32b9b5eb984469abb2afe721c0e544a8aac8eb9b70c891997be1a89eb333ae25523b923ae73aa972e2e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 9f80effde8a9e9030d84281c19a15eb3
SHA1 fbd8f7bebcd2806ce2fe3721f6df5e83a67b2672
SHA256 a0b6b8718c88e037dcd352bf2916063d843c656bf4f9a8170ddf69c67c02eef9
SHA512 00821be66cee4b02f6e15dfe2ea65b800d4a7e62c1d660936d2a130515d1916f990c4ea1d839f7a7cd1adafd0aa19d0ec868799c632a0f7bc2500d78b487c166

memory/3596-91-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3596-94-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3596-93-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3360-95-0x0000000074810000-0x0000000074FC0000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 3e73bc0459e1e7950507457d245b3e7d
SHA1 f294ab3cdd7a0868c99079c4c82a35523fe9486a
SHA256 7211ec907e2a26fa316f0fac33e00a4e12da8609d395cc7eb121ae808a071ead
SHA512 f8b892367c4421bc2c59f5acf82d2a0695edea406ac2f642acb7d7d3d698a12e663e0ce73e10c87184891513e4fd6c1dc5462f44439ed64056eafafa65b8f2a0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 5fc0af0f1ff02e87acf901ccdb4208a0
SHA1 7299bf04a542a4297203b37e5a1c655fbacd4484
SHA256 f3b9aa72a56fbffbd48b1e3769d18d1759785b42e98f7b4c47897a97aab5b4ec
SHA512 5d264eb4f16e5c95bebf4ef442bff95fcbb8c39b847fc132a0f16a3bef0d3f75c7e1d3a1c65b07d29fa86b653833c63358065fcff926a18f06f0dc151122cf66

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 94498b89cb0d699b038ac6532a05c902
SHA1 d483bea3151b97d7dd85133c4567a04bd59a2560
SHA256 39272d07810ccaffc0d6aa588a46518d6dd836a072626efda6c88fccddb78484
SHA512 bac6adbe64a740e6f07af9b66b816fc718ef1285d1f7fea7063d6c188db4dee8eb252f8344c9e61612cd58ef0ab9b284d7acccbccb3ecfcdf34923ecd7e6724f

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 127752fdf1f5cfb809c9ce7386601b98
SHA1 bbf3de82ec9d53a40876fc317f665dfcf944f8f3
SHA256 c80e5605c230aa1afea5e56e075e7434088ab3b771f723f31a354f617a2fe08e
SHA512 02dd13b85d0ef3378e2fbf7f89d58ca2d64fc514c3401325567ccf80cb7294fc07cc0aa3c97d67a473790d837d71dbe2b06b5ec3892ece750f80c0f15973d379

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 5f1c552ac07dd95e938e50996c83dbf1
SHA1 ab977f1b2c8e471d35c58397bfd3954425c53abf
SHA256 6d64380aefcd9a3e70e20cc470b12a3486a48cb5c20b9ae9728c90f9ab4f6172
SHA512 f3164fb39b5e84b5a20efb616512bb3aaa893b1aa56a74baa493320e4b5b6257a33b5661c5b9c2c2e0c8b96e3934cc5bad095992b4aa1c76c214a1bbbc98bc00

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 864107fb865297d4c33971954f22011e
SHA1 3d14a8028d4b625927eabe28338656021d4b72ec
SHA256 3562349c570cc73cf3776c0ae58c6a4e37015d69a1feea946fb9273b323f8cd5
SHA512 2b914073b7ef827244862d6e07479e41ac73ef9ff2319c741746ee1808feea1bd44ab2e4cffdf1a7b7040ef9515418f071805135d9695be98755da6c7b334a54

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 5890936188f20215eea26c8791500ce4
SHA1 f1e705b5b7a66f6cb06f5c85bd6c75c19c19f9de
SHA256 8cb4c9c6dbee50bb9bc21cc77c50bc0769da54c7e26aadc65ad3352e877f9da6
SHA512 ebc71b4215feb2f1b399b28f01e97874d261cffccbbafc29b905f18e91f5d7068b03bfa3bbd14f3d15a3d45c891c6e1c26ec76bf2907d3b8a2a68c542cbc30b0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 e542ebe6d90da13db3f2d114142474a7
SHA1 d33c4d183d38fa89d8e7b0aa3dfbcb3f63ed438f
SHA256 ff552413ae2b412d7c10a13d0be31155d1dffb7af0689cff25141811d729be9a
SHA512 dcc401a10a8a8f38391320c479293dc53bfae2523463028faf6776fbf1abf891881e1bb5c72f77975317a6c246134cc844c2e23d83d6571edab141c2fb73f34c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 32a4502a01b1aef9f5e07aaa9bd7a9bf
SHA1 1f741e2590754849a9d2162908b5d23167717439
SHA256 86a9520d2bb3a76400a00bb049e8c6cb163c81dc82512fda0378db2e60d646be
SHA512 f5536fe986c4f783e24f5a733805d4d86b15945dd01c85cd8e0450db1c8235fb46283db72dd9469e7dd63e873564180ea0ef6fc4a4d06f43d3bcaf3d6b99f35d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 89f0e664074417804df610b8494cd800
SHA1 1b238ceb31db38dd9246a5009d94b5936849cddf
SHA256 c623118de19963b9f041ce77842ac847441f1c568cb36182e8bd54a60324eb1d
SHA512 af62de77b85aa5d7592942b5d9435d50986b92c2daedde278a3ce270819efc66ff4579dc6d672a73b9a37419b3ddc7fa9528f7a78a06a2c90784d1256c5f5b7b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 f7aab160ccdf7a23fa2e5b39aeab9a69
SHA1 efd7385c306f6649c982b40b5b1bca81f441e9a5
SHA256 86312e65d8e9fe89710be315fccd587918efecc285a4a9d64da82cf6f715ee64
SHA512 f177de1209a37649b728995e3deaa472e89733474c09dd05f9d9eeaedd97dc21984464e98263a893217b4cb59c9ae36319796d12445ef0d256a7d1097b47e632

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 0969d1179b90643f1fc26b6d5584914f
SHA1 3833759a62db9d61e0e22359d99bd739fbafcbef
SHA256 f9b3256caeb190e9a043503938d082ef2d0d8df481dcc910497d1d32a5b34144
SHA512 7095501debc888884ad6d936bd82d53f3030013d307ea81a80412b5f9a6bbb94f65f7d66ea979841c262a20c94e5e1be9f4f790cac08b833463c98ac655f3c87

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 cc719cdc39f8b4d27b413d3e3a992041
SHA1 e0fc54802c4203614d55469166af6e75683eef74
SHA256 b7365e66f99ab810e00e890b8ae51f7084008ebfafca5659903e3d2553fdb5e2
SHA512 10a1ecf93dfd84bc9858f9e0367495db4f33c02bbc9665c03bbbedb9063005c29db22df80895d7f45ae6a906b1eea856357a80675abaeafce69849c5bf846d8e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 6530acc3b9737b8609f1bb3d080c546f
SHA1 607d1a86363c5032c913a10d787e8566b0a38720
SHA256 a3c7518e218d6986b6fcb936c303896f6c5a94a26a6baa07e22cfecb196503ba
SHA512 7009e6a6edc97b0afb3cc4ff357664bced2b0a9f0593198ee518d87f6b1c9f801700981edf58fe051512e4485099b66fc132df95a868a3dd2a88b4b139c1b892

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 34e3775d9670f89b48a595380714ffd3
SHA1 3e24c63b49371008282a2de03eafe02946d19c94
SHA256 77b97c8fbaa9b41ea9541aef1b7d5d52a592a790b500591d4be07270b8fba130
SHA512 bbe61c7ecc4bb8bc63a0216a40479bbad35dbdfffa25b941104d868eb553eb10d78bec305f12e9c45b4645b5b29d42e28fc44c96ef332ddc91f8afc752ca74b1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 2b5c8d0c001e53b77e3cfe42b2445e61
SHA1 01d82b65a52f63f935e8508096cb4b9eee03aff5
SHA256 c006cebf7eee15ccaf6065374076175d20094856e5c5f8bd2e0e777a2c40a6e2
SHA512 69d6c6c934fd444d103001b3dea3f961f4aa540ee23bdebdf1b66978408495b387fc94629166115328fe949204fe6715a4bb948fc9ecaa21aae1e348d419765b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 e0f628b44a82e4b67cb14ed89543ac26
SHA1 5fcc267c6405688f51a3f62b148a9c3b56ba3f0c
SHA256 4bbca61c9af65b8043adbae51665ff72a9d950bf5093c4a242945e2f0f324af3
SHA512 1acd56674dc0b684314935f99dc64148b35a6eab19e066b59b449e5af7e9d0246734be7a8ef0a7e72ff7cc263ab0a8b121b5c21adef0dfbbfa1cad0dcb3ec40b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 c54319243867611fb860d4206f5d952c
SHA1 799c8a5d0865db5944ba7965b2caf03390a93b5c
SHA256 f6418ba66c9db7bcc93d9df0dfd9c14dcba2463adcd817b1e3f34c705fcbc7bb
SHA512 41e02abee14cb9dc7220e7ebf177bd65e6ed7f717caee2ce55a33c9093f2e571bd2df67e5a20202fa0685b7f46852b8c431307c6b2fc50005f23a380eda37814

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 926deccf37ecef6ebfcb3cd7d52eac8b
SHA1 ef848dc5b1bbfedef0219835c566af82e91f2591
SHA256 1e8f91c95a9f84078aab883f3035d0a297c5f73d702041a3ff29549ff3f03a35
SHA512 d78a5dcd35a2409efbac366fc56423cc32500558cf93cd4e94e399523a89d8a65adeb4c4d0fcce25f15abea5877d96d4b929d6dda7b42870d47ccac3fe8b11f0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 9444fdddd56bf42aea921c2e29cb286a
SHA1 04f665dfa253175829448e50cafad69671b4bed5
SHA256 3f9c35f059614b74756bca22702122bdc167bf88bb0e127fe3384e40896c495c
SHA512 56f9c75204b95363da571055f00a9030fda6d413626d7a2ad6b391a5472cfccf9760084da5f2202c8a782a9f290010bf3914c2cba91758cc8e75ad9c7abf3739

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 344d2a5b8e07bb8dfce4c03282f4fbd2
SHA1 ccc799e74a5d7a55e98a4485a6b6fa9e1aec7531
SHA256 dacdcb92566ae2ed7d565636709308203fe8790000473b6a2ae2078554bce5ef
SHA512 75ae6ed6f539b29cdc556fe21fc08c43cf372932a8da605def773b3f6ba7c1c3f84eee8a56a42b5f687f1c5a7530734a597e8468155ceb32a794681b899724c1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 f615ca6d3f43405a9708e0fe0f5cb969
SHA1 81cc20f675a8d05c569e0146a0ca43a815f9b106
SHA256 93f5c2e8d60082c2b2abec7d7bb142cb9897f078a77108ed4a93db2f08a210e8
SHA512 2ee11d3484b240bc67a19179f6ddca3398b2c63e9c8eddb9986cffe46c6377164a6dc7d0cda6afb8a771d74164e236455c8b05ee3e3bfc81aaa6e9c06e98fab6

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 bb54d628dee12fecd68c15c3797359d7
SHA1 6e8a3dd076fdd0dc8f5eaa7a61ddb236148204a4
SHA256 b48c6341e8470d0ea6b683128341860e94efa80f79e2a485b72ad405fa0246f9
SHA512 86002319e8302ef8d79b083cbad10b5f01965caebdd98609ba4de56b7be9a6d45d6c96702a4e448d556ed987950c0dd232b463fa0d83cb126f49c381a12fb9a4

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 89c3e0e1bff20d0cc3f7618694957b40
SHA1 f5ecfb1785134d1293430cef4167acb54b4c7a71
SHA256 cfe8d38f42aa15d99e79477b154e12ea4dd3656839e4105d94b8c04fca0e2fd1
SHA512 c05e0c3bf81e5a7966fb7b570865941f251691905df1e5403f04c396572ae04f22e3817f8278568988a35ee8efd90a73628e191b8b40f4fee2371e9bd5c9f78d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 63ff8160bb820cee93727a2e8e1ea3e8
SHA1 6ed4e4c0236df039bc6e8f2e71641fda58d9c624
SHA256 e635ac43e788a79894108d2e0e864b4379653e2e90ffdbdfa5c3fa0763db1b52
SHA512 c99a75614f436325749bb6f32bac3646a34b9ba5b2f5299aa025576858e30e066301ec1fbe96072f6c1c566560e80fe4473707d7074c71d3b92a9edb65cd58be

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 f63cbf965aa55f283c95fd649ca4801b
SHA1 bd515242fdce1fa752d11a298c40df97d2a5321f
SHA256 d87320c082a1bc4db308ffb8a367621c730e935714e9c3477cc8aa7fb4253331
SHA512 53293f0ae875dec8f88e0a8da5e80f3149155dd8820124b4cd8d3328e23d9a84e8e4c1f4cabc0e4f7c4959064fc12cb211ee73782719cee03a9557cd1b372498

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 1efdb99ba8632e5175b6a5deb6ad74e1
SHA1 16667bbdd5f0f7568311e672d90dbc1181b6b1b4
SHA256 08984d6810de447c00c525fa5dcbea67effa99ad608a8bd4e1ee5d267dfaa7cc
SHA512 f01a913060eb4a60975603aeb1e10e1d5e66ac9d788a6b644843577205f6f55a25afb0509c43fc71ef8750c71429f8f6460b2b8e0904b31d05a49a7ef333016d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 33f93dfebe897e371acd14effb55cf4d
SHA1 8bf8f15f59c2f576a20f0aa9dec633c30a405306
SHA256 5918cd580ce342b3b4318c7cda04b474e0ed65fb412bf1969357086e6417bb46
SHA512 8756189ce3f51ae826c7acb11d9146bd29c96f5c365b129e372436b5150c5539540a4307b20e082a6be80749c8c7b4d82e10a82724a81c3a693f3b5b5b4c8d84

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 3cb080cf0ecca81e09ff0f2252ae99cb
SHA1 0e2077cb74b804dc2251e66332168bfa24a9b52d
SHA256 ed3d63b4ff66746ba2af786db7745bd5d01399f4a6b67b49ced740e7fe941a95
SHA512 73d1bc7cd5643a3c3efa49d7a11c8e789610a72f79a12c1435f8def3231300bebbaa2bc31f50639b32ff95260060392ccb3520f54431be21e2f29861898aaab8

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 a4940c7d29a05ff69bbada543d53fd70
SHA1 5e716e8cb3fe37d32f38397bc329dfe4622402a5
SHA256 43f815feaee519cea0068cb0f8bb081e0860e7e987e07aea5f65d759a1eb6a75
SHA512 6417e912dd4dd17cc12f5a85267f19babbabc3e350d003f363072247dcb5bc96eb80cbb56532de0f6d9fef9edd5f576da46eb0aba834924560cfcc19c21592ee

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 244683860f9436e24e005cbe489a2e0a
SHA1 6cb16ff6b8bb9dc97464941ed6e8414e8480d201
SHA256 4f78a358411cefe09d52b289abdbad70cc363e2f16ed868c2989d1676eeab9fb
SHA512 15a0c663d07003ea30557dea26dfc7272f0d29c7c4c4c3ee65571209a6adada5a816edad35952f3ad64f0945b56329d32a614242fe390a215ff7ed2531a0894c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 738fcf2f8d2d21187fbf8d7a83ca6300
SHA1 e496c2e92335e8d13115895aa537ed18027710b4
SHA256 01bf070fb9ece4aaf0fe6c4f7dc67a2f75f35eed5962f066bcefd5c14ecbfa3f
SHA512 4c1d140769e1828123525a4a79b57ce9388256a545171c874acb591b8699d5506ef739384045e2df530587ef34ceef3d849925547a855debb2f1ecdd6fc55590

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 b1d3d72a4a5bb6526f8ebf837a51f55a
SHA1 180fff97ee4ae486261daca6f3831c961e0c3767
SHA256 6b13f567c9299d149ed06bcf3718e98e6ac4e4189d6fa4e7771518320f238a8f
SHA512 8868415ec50ffba47580d44ab02131dfc907f9c1d2679ad604484632cefa735f933b35f7f23dfa848d983ee649854562630e3f138125c5885fa56594463aeecc