Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
87s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 07:15
Static task
static1
Behavioral task
behavioral1
Sample
WindowsAgent.msi
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
WindowsAgent.msi
Resource
win10v2004-20231222-en
General
-
Target
WindowsAgent.msi
-
Size
28.6MB
-
MD5
6285950894413022e257973b89be83bc
-
SHA1
287e930cac8b1bbf40cdd56c85e9b52e97a8a6bd
-
SHA256
30f991c5d2a6cc0456567c20cf32473a5ff173c4dc0f0ea7ba81c9a70801b051
-
SHA512
3d995ca2af0da380b215b81d0cf69ea722589ae73c1526243c433459da6a0bedcb3e2b8a55a4a03b83967dfdd841841ca0f78d4782ce1d549ccec39d29f8c51d
-
SSDEEP
786432:P0nSK22i0QPYKrVdWt3gpw5A1TqTwI1sDrS:cnxE0jK/WG+uTqcp
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1804 ICACLS.EXE 4852 ICACLS.EXE -
Blocklisted process makes network request 2 IoCs
flow pid Process 4 3672 msiexec.exe 12 3672 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e577ec5.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e577ec5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{13C15224-042C-4CEE-9813-469D6977010A} msiexec.exe File opened for modification C:\Windows\Installer\MSI804C.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4340 nraccessInst.exe -
Loads dropped DLL 6 IoCs
pid Process 2136 MsiExec.exe 4340 nraccessInst.exe 4340 nraccessInst.exe 4340 nraccessInst.exe 4340 nraccessInst.exe 4340 nraccessInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 5 IoCs
resource yara_rule behavioral2/files/0x000600000002322b-76.dat nsis_installer_2 behavioral2/files/0x0006000000023230-83.dat nsis_installer_1 behavioral2/files/0x0006000000023230-83.dat nsis_installer_2 behavioral2/files/0x0006000000023230-84.dat nsis_installer_1 behavioral2/files/0x0006000000023230-84.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4280 msiexec.exe 4280 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 3672 msiexec.exe Token: SeIncreaseQuotaPrivilege 3672 msiexec.exe Token: SeSecurityPrivilege 4280 msiexec.exe Token: SeCreateTokenPrivilege 3672 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3672 msiexec.exe Token: SeLockMemoryPrivilege 3672 msiexec.exe Token: SeIncreaseQuotaPrivilege 3672 msiexec.exe Token: SeMachineAccountPrivilege 3672 msiexec.exe Token: SeTcbPrivilege 3672 msiexec.exe Token: SeSecurityPrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeLoadDriverPrivilege 3672 msiexec.exe Token: SeSystemProfilePrivilege 3672 msiexec.exe Token: SeSystemtimePrivilege 3672 msiexec.exe Token: SeProfSingleProcessPrivilege 3672 msiexec.exe Token: SeIncBasePriorityPrivilege 3672 msiexec.exe Token: SeCreatePagefilePrivilege 3672 msiexec.exe Token: SeCreatePermanentPrivilege 3672 msiexec.exe Token: SeBackupPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeShutdownPrivilege 3672 msiexec.exe Token: SeDebugPrivilege 3672 msiexec.exe Token: SeAuditPrivilege 3672 msiexec.exe Token: SeSystemEnvironmentPrivilege 3672 msiexec.exe Token: SeChangeNotifyPrivilege 3672 msiexec.exe Token: SeRemoteShutdownPrivilege 3672 msiexec.exe Token: SeUndockPrivilege 3672 msiexec.exe Token: SeSyncAgentPrivilege 3672 msiexec.exe Token: SeEnableDelegationPrivilege 3672 msiexec.exe Token: SeManageVolumePrivilege 3672 msiexec.exe Token: SeImpersonatePrivilege 3672 msiexec.exe Token: SeCreateGlobalPrivilege 3672 msiexec.exe Token: SeBackupPrivilege 1124 vssvc.exe Token: SeRestorePrivilege 1124 vssvc.exe Token: SeAuditPrivilege 1124 vssvc.exe Token: SeBackupPrivilege 4280 msiexec.exe Token: SeRestorePrivilege 4280 msiexec.exe Token: SeRestorePrivilege 4280 msiexec.exe Token: SeTakeOwnershipPrivilege 4280 msiexec.exe Token: SeRestorePrivilege 4280 msiexec.exe Token: SeTakeOwnershipPrivilege 4280 msiexec.exe Token: SeBackupPrivilege 2732 srtasks.exe Token: SeRestorePrivilege 2732 srtasks.exe Token: SeSecurityPrivilege 2732 srtasks.exe Token: SeTakeOwnershipPrivilege 2732 srtasks.exe Token: SeBackupPrivilege 2732 srtasks.exe Token: SeRestorePrivilege 2732 srtasks.exe Token: SeSecurityPrivilege 2732 srtasks.exe Token: SeTakeOwnershipPrivilege 2732 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3672 msiexec.exe 3672 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4280 wrote to memory of 2732 4280 msiexec.exe 95 PID 4280 wrote to memory of 2732 4280 msiexec.exe 95 PID 4280 wrote to memory of 2136 4280 msiexec.exe 99 PID 4280 wrote to memory of 2136 4280 msiexec.exe 99 PID 4280 wrote to memory of 2136 4280 msiexec.exe 99 PID 2136 wrote to memory of 1804 2136 MsiExec.exe 100 PID 2136 wrote to memory of 1804 2136 MsiExec.exe 100 PID 2136 wrote to memory of 1804 2136 MsiExec.exe 100 PID 2136 wrote to memory of 4972 2136 MsiExec.exe 102 PID 2136 wrote to memory of 4972 2136 MsiExec.exe 102 PID 2136 wrote to memory of 4972 2136 MsiExec.exe 102 PID 2136 wrote to memory of 4340 2136 MsiExec.exe 104 PID 2136 wrote to memory of 4340 2136 MsiExec.exe 104 PID 2136 wrote to memory of 4340 2136 MsiExec.exe 104 PID 2136 wrote to memory of 3160 2136 MsiExec.exe 105 PID 2136 wrote to memory of 3160 2136 MsiExec.exe 105 PID 2136 wrote to memory of 3160 2136 MsiExec.exe 105 PID 2136 wrote to memory of 4852 2136 MsiExec.exe 107 PID 2136 wrote to memory of 4852 2136 MsiExec.exe 107 PID 2136 wrote to memory of 4852 2136 MsiExec.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WindowsAgent.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3672
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C4ACCD1030AF595FFDD6F2D4F596955B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:1804
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe"C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files"3⤵PID:3160
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:4852
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5b94f30a5988e6f213c2a04302df21de5
SHA1efc651a274263593eaef0df77dd9d32ca87e4ff3
SHA256ebf623e188418efe9c820e145f0f86cb9f42d0ac7427c0e0d97019bb83e91a8b
SHA51297ea3938ce4f61cd2c11dfb606c52689890e04d78e078e6ef86567a37fd3f635af2866d7f9904f3b0f16add005b301656f921acad74b2535add63e7a306fddea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794
Filesize727B
MD5cebd6a3ee89ff5fcb3403f5a85f158ec
SHA1da5af6a83663b226a609094c1bc716ff083fc78c
SHA256f15b2b2b7bb36714c4ab3b0546f57ec594a542268a53a78036d22b82411f7fc7
SHA512cf154021928b932fb39d78d514d61540a4b79ce4df31ce5d81d33d8abb451899617daa107fc73e6abc5319e795864f1259b0c11341839232316b534cf6965e3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD507be3d60b7ed629c615e368656d1583e
SHA1c60121ca1b0161eb87bb1c5d6b5a415d022505b1
SHA2565777fab5a9d0fb429ab73cde719e68ce168103392305aa5af2864d904febe6ad
SHA5123c8d54a4c8599cc98e370033733a948cda09362337ebe00c97df158a0f5f8b6cc79de0a088bbf9308b15a38cebe51295402519d03bbd0f305c0cc8a69152c888
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD59324f156e2e254200a093210761b0e5f
SHA11d84af1f640e8e66ac36c6fb3a0dbaf4da4972e2
SHA256826e9eeb88307fcaebdc5909245c4b1ffbda8dd48ae043bac0a7baa3598cba6c
SHA51268f08efda0e136c93e654afadec876023cc028b291a9be99fd2dd752e04814d1790092bf2cbe55ddb0e45b9a8818493a4b3c3e5a0cf168399fae5da7e744d6a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794
Filesize404B
MD566d53fee48d9f1de9ff2cfb4ae15726e
SHA13a9992a5db29b72f767654b13df06b6b503be2a4
SHA2561e4e5756772789f9b8a5acacb7b0e81793c727312a6fb21ffbb3d63581fa39e6
SHA512ba1b730b71ba9e98ab652ea6bc3b57ecff23a094a144eae5b9aa49b8f217e1ae3e4d8aed7c1aab6d318d81892d38ef81b4a694ae6dc35efa5840d1179aa01dd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD581499a7c998f1ce59617e200a9f69744
SHA1f49292acc2839c3989de7ca8fbef064765937621
SHA256bcf53ee09186181dda474362a644eb7758c82853ddf650ceabcc3e45a8b8a6ad
SHA5122f1601b9ccc489bde846bfb017646bb6b283e29fe79d1c5d04602b9f5ea601f352cbabcf14c2374f7feca46dd5d0c2c605522a373210af6dbc37af09848fb5b5
-
Filesize
5.8MB
MD53487d5460835b643f5f695e927eb5486
SHA10c5393e2f4fb7fd3a007986b0ef1e33f64512687
SHA25605c1c8d252d60cda67eb3287913da7d6f96bdb47d546445fa8f4d12ad1fcb8f6
SHA51267c0c29853443f17a483c4adfc7e784ed8ded824475eb48a7168bf0e38fc699018e5b92a6aa2d23704d26f74462553930604dbe3173e53e3771fbf579ec00403
-
Filesize
166KB
MD52c6d72070b1786844ed2bea951baf9b9
SHA17598082d20252d152ff992705a52b18674446b59
SHA256add28882b0c2168e3fdc854bd00b383398b2398df2c0ca8081baafddbc03b3a9
SHA5129f15cb9ccd08e69d6eee61256ec1fab8dd66f0b1887860c4c1b46de8ef6a40135821b394e75296c8d8ae7cab0c1962773c73c8240d230ec733e7e11ea53fe8e2
-
Filesize
7.1MB
MD53c6dd0c233e0cbbf2097764568a2eb19
SHA1d5312739e78652a57014d29837e0dc8ef72f2052
SHA25696cae73f53a9b793467425168df7441c982724b09ed763f1efe2cfc596dc55c0
SHA512d2d34b00b1a02b89deb13e3c1c64d430c1b79c439074cc52cb08f6d96a67dfaaba906dec3d02fe976802f573175caba59ef72c1cffffcb220df88ace40fc2fe8
-
Filesize
1KB
MD5683f15367a294190e88d53d5b947aeae
SHA10f3557659f37fab40f20aed43a1839b7e658b3c2
SHA2566d01b6c4b4578158b27720fbdf2712e85898d2bb4af6a3ba7d8fe4b6efb3f674
SHA5128de9cfc553813cb7acd7fd0166759c94db95c4035ad86f42ea446723d75093b7ee624652c44be54f3db9ea0495880e63ee6d597fe5e5e4f04bc04bcf8eff3d88
-
Filesize
1KB
MD519755cfef4625f083ac06857268c38b1
SHA1859b5d244ad11e9d838c15feccc39ac90fe224f2
SHA256e5fa507bb8cb85f8d2c9ab476a1779b8ef94535d3e569aa36081fa8192ba887b
SHA512d29fcc1fb182729eeb41f39e7331e672292991cd09944f57e53212ce62b5cf422ebd50b80810943c71e8d5058be8d04dce507060e8bade23d0aa5ac7238db3c5
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
23.0MB
MD5dc8127c27f05ed4d7426ee499199e3d6
SHA1585657cc8789e79a7f6f36e2531534a7114e6d5e
SHA256707e78e3faac4c6a07fc8c399b99e383e453657ad94596c8c6d57c3112c02a57
SHA512d737382a255f3a8c9039c82d17e20fe17593ab323b666a71782f3dd8c6f9a1de0662e70f88c0da349c01b076b141237eb04e69a8e409817a8a02877882a1bd76
-
\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9e0bcca5-0000-4478-806f-59c1e9f08921}_OnDiskSnapshotProp
Filesize6KB
MD55eab00840811481593f0830c04d228fc
SHA1712a60dc6ba63912996914a389604af5ee45596d
SHA25627cc3706deef740aca04a84c365bf9c25fd14169bd4fcfcd4c3fba4c8424e007
SHA512e6e35ba0f8a15189eead1f149554807230dcf4b0512bc89f861e49948476c6c50129bf0bc5453a011a503a4203dd6b0c06e08c93a1b6e6e023326c33a7a05a47