Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
build-x64.msi
Resource
win7-20240221-en
General
-
Target
build-x64.msi
-
Size
5.8MB
-
MD5
9c02a9298b97fcfc5a75fbedf08002bd
-
SHA1
2d3bc2856c015914f2856331a0315298f3c34b0c
-
SHA256
693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a
-
SHA512
fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc
-
SSDEEP
49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC
Malware Config
Extracted
darkgate
admin888
prodomainnameeforappru.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
443
-
check_disk
true
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
VzXLKSZE
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 2 IoCs
resource yara_rule behavioral2/memory/4852-102-0x0000000005D20000-0x000000000607C000-memory.dmp family_darkgate_v6 behavioral2/memory/4852-105-0x0000000005D20000-0x000000000607C000-memory.dmp family_darkgate_v6 -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2632 ICACLS.EXE 4036 ICACLS.EXE -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 3724 msiexec.exe 9 3724 msiexec.exe 12 3724 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\e576774.msi msiexec.exe File opened for modification C:\Windows\Installer\e576774.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI689D.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\SourceHash{8F7994CB-D53E-4E42-B335-CF29C4D0CA5C} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE -
Executes dropped EXE 2 IoCs
pid Process 4540 iTunesHelper.exe 4852 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 3164 MsiExec.exe 4540 iTunesHelper.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1560 msiexec.exe 1560 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 3724 msiexec.exe Token: SeIncreaseQuotaPrivilege 3724 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeCreateTokenPrivilege 3724 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3724 msiexec.exe Token: SeLockMemoryPrivilege 3724 msiexec.exe Token: SeIncreaseQuotaPrivilege 3724 msiexec.exe Token: SeMachineAccountPrivilege 3724 msiexec.exe Token: SeTcbPrivilege 3724 msiexec.exe Token: SeSecurityPrivilege 3724 msiexec.exe Token: SeTakeOwnershipPrivilege 3724 msiexec.exe Token: SeLoadDriverPrivilege 3724 msiexec.exe Token: SeSystemProfilePrivilege 3724 msiexec.exe Token: SeSystemtimePrivilege 3724 msiexec.exe Token: SeProfSingleProcessPrivilege 3724 msiexec.exe Token: SeIncBasePriorityPrivilege 3724 msiexec.exe Token: SeCreatePagefilePrivilege 3724 msiexec.exe Token: SeCreatePermanentPrivilege 3724 msiexec.exe Token: SeBackupPrivilege 3724 msiexec.exe Token: SeRestorePrivilege 3724 msiexec.exe Token: SeShutdownPrivilege 3724 msiexec.exe Token: SeDebugPrivilege 3724 msiexec.exe Token: SeAuditPrivilege 3724 msiexec.exe Token: SeSystemEnvironmentPrivilege 3724 msiexec.exe Token: SeChangeNotifyPrivilege 3724 msiexec.exe Token: SeRemoteShutdownPrivilege 3724 msiexec.exe Token: SeUndockPrivilege 3724 msiexec.exe Token: SeSyncAgentPrivilege 3724 msiexec.exe Token: SeEnableDelegationPrivilege 3724 msiexec.exe Token: SeManageVolumePrivilege 3724 msiexec.exe Token: SeImpersonatePrivilege 3724 msiexec.exe Token: SeCreateGlobalPrivilege 3724 msiexec.exe Token: SeBackupPrivilege 4932 vssvc.exe Token: SeRestorePrivilege 4932 vssvc.exe Token: SeAuditPrivilege 4932 vssvc.exe Token: SeBackupPrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeBackupPrivilege 1216 srtasks.exe Token: SeRestorePrivilege 1216 srtasks.exe Token: SeSecurityPrivilege 1216 srtasks.exe Token: SeTakeOwnershipPrivilege 1216 srtasks.exe Token: SeBackupPrivilege 1216 srtasks.exe Token: SeRestorePrivilege 1216 srtasks.exe Token: SeSecurityPrivilege 1216 srtasks.exe Token: SeTakeOwnershipPrivilege 1216 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3724 msiexec.exe 3724 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1560 wrote to memory of 1216 1560 msiexec.exe 97 PID 1560 wrote to memory of 1216 1560 msiexec.exe 97 PID 1560 wrote to memory of 3164 1560 msiexec.exe 99 PID 1560 wrote to memory of 3164 1560 msiexec.exe 99 PID 1560 wrote to memory of 3164 1560 msiexec.exe 99 PID 3164 wrote to memory of 2632 3164 MsiExec.exe 100 PID 3164 wrote to memory of 2632 3164 MsiExec.exe 100 PID 3164 wrote to memory of 2632 3164 MsiExec.exe 100 PID 3164 wrote to memory of 1132 3164 MsiExec.exe 102 PID 3164 wrote to memory of 1132 3164 MsiExec.exe 102 PID 3164 wrote to memory of 1132 3164 MsiExec.exe 102 PID 3164 wrote to memory of 4540 3164 MsiExec.exe 104 PID 3164 wrote to memory of 4540 3164 MsiExec.exe 104 PID 4540 wrote to memory of 4852 4540 iTunesHelper.exe 105 PID 4540 wrote to memory of 4852 4540 iTunesHelper.exe 105 PID 4540 wrote to memory of 4852 4540 iTunesHelper.exe 105 PID 3164 wrote to memory of 4168 3164 MsiExec.exe 108 PID 3164 wrote to memory of 4168 3164 MsiExec.exe 108 PID 3164 wrote to memory of 4168 3164 MsiExec.exe 108 PID 3164 wrote to memory of 4036 3164 MsiExec.exe 110 PID 3164 wrote to memory of 4036 3164 MsiExec.exe 110 PID 3164 wrote to memory of 4036 3164 MsiExec.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3724
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 262ADC6FD1450C662D07F42EB35CC7F12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-074cd5ba-5343-473d-8b79-d917b0d0efb3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2632
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\MW-074cd5ba-5343-473d-8b79-d917b0d0efb3\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-074cd5ba-5343-473d-8b79-d917b0d0efb3\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-074cd5ba-5343-473d-8b79-d917b0d0efb3\files"3⤵PID:4168
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-074cd5ba-5343-473d-8b79-d917b0d0efb3\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:4036
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
Filesize1KB
MD53e28423d81dae7072e450a01241cea65
SHA1f285bfc531dd5731e534c8cd62652acfd45eb457
SHA25691ca951b1de49cd987ef6d00d75bd661e0945bee669e31ea07ee23a2365ef4bc
SHA512cc4fa278f2e6bad3d5ebaee744ea7464ee991548a7a601637aa791ee5a7ce818b080d1d2005e2ec843e97ea1bc517f403fbe09e6a2d23bfec6a65d1f4d816faa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5ca8353dd67b51d87f33a9bf83ea9e828
SHA1a3a1ff0564d43921a6c3f1abf43c1c77a9481852
SHA25658ae68b02768d06a23f27cfd6361b7e121d36ff1da164754d4eb9464428da216
SHA5125c571947c6306bc116728aa973fae712e68ed8fe4a4673c1f8e7b6b25019defcf34a04b0aac0c10e1a3ebfb6e41b47c547a3e2b0d55a80af8a0ac0354b5e95d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
Filesize540B
MD515f073f9af14253c02a55623d6f791fe
SHA1b3e8fb5fca521d3ec1832d984c77b96109f95aaa
SHA2565c071ddb78dcce13027d3849d5f9b72cdb16281789d5353ac30d92463db15592
SHA512cdcaf69895bd7ae2ddcc16600c07465a031b3d2036b0030447d88e1487ad762516a3f096f3e4735659580ace72e2466ca5e0fb77fcc00ddbff00e5d1395e8942
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD5987d58cb29489ed4a2889d445e50aaa8
SHA189b06e4a70c27c0b81558de459d8c53bb803a4d8
SHA25634192dc92c2f14aab4a2c037761686ecbf7681d1d3bcbdf2103e20226f8fd760
SHA5125df711bfcf5ca2552c48c542e19013b134cdfeff2054714c308fd10d4124ad6da4450bd4d3b17f9645111b0b71a644c6e6d1f3053e28fc72557572631f38e457
-
Filesize
5.6MB
MD5a6f0fa38c1ef89290ee787f7577993ad
SHA11b03510e8c5a1a3c976086327ebab3c8acc19550
SHA256599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882
SHA5129040548c6937e93168e57c1b3d18c20d21702d9632096191bab84929f18de0bce4cc31bb0f178b9d34f9259e6176bc4a8d5b86fe21ceec0b5a24ea2809acc68c
-
Filesize
3.6MB
MD53b81ffed1e2d61f739bb241e395ce563
SHA1ce08355cb95ab3d1ad177eb641acfa0339ce73d4
SHA256f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929
SHA51206ee1ca4b102d90bd1390c9e7fefecfa7fd8ebc131a8fd24d76a0aa51655cb254b021ba05ca976910395c08658171f0f8c1f6b1fec0fbc6c9ec5b906fddb606d
-
Filesize
358KB
MD5ed6a1c72a75dee15a6fa75873cd64975
SHA167a15ca72e3156f8be6c46391e184087e47f4a0d
SHA2560d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
Filesize
1.6MB
MD50f64a8b96eee3823ec3a1bfe253e82be
SHA1e47acbb2fb97d05ce5222ba2737a5b0c0f039a0c
SHA25617158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724
SHA5124d08d96bfe4ed497ca01d6f76acf1f5138d775b56556923b24e1e86cbd26fd54b6f517c8d3211b80332f90fe46cb77e347280636dc984ded2da8842aff9a5f43
-
Filesize
1KB
MD5cea03348de09ae21fd8e15bc8e3081c7
SHA107d00c53d0cf319078be2fefaf7f14329d8344b6
SHA25666f83934ca6387fcf419deac2ba6c4d8795edc776506c27c0a1c63cadd055a48
SHA51257e0e0a0809638cb313b9355dd9b9dc2351c7f238516c4422393754b928137e0fcbac6383b965b9e5113e6cdb91fca1389d2a8bb68e1e5b4b7bd4dcf5ef97e03
-
Filesize
1KB
MD5eccf3847452552b44a55b8a463164220
SHA15ec67cb1bf4a79ad84b2fcf4258b5fd452264e33
SHA2564198a018d5df91f61ff1374ea817991ed83147015c81f8cb4448dbd8f15644eb
SHA51220704a157daaf06f0ba3dda32e5fdafd1050ee6d97f6d42b50b47aedc840a9fa470ea84bf8012b0b0c175b3692542dc1b3f8f860208fccd7a3c8b4d5e593feec
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.7MB
MD5cd1ddf131d4d427ad5e75750360ba4cb
SHA1513be08a89f55f9929ad0da9c9bb9275a357beac
SHA256c5a4304c75954d33734301be4d119f23ad25a97e5842e84146d5ceaa5688812d
SHA512d96e2edcff678ce96b9b8c331c9c68dac55dae408b5337c4820fd590117c7cae6e6956b7db65d3afc03bff5687d5f88b96a2fbaeab824f3baf2778274ef9cf85
-
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{efbb1dbb-d6df-44f5-951e-82538bee1d78}_OnDiskSnapshotProp
Filesize6KB
MD5c5f706f0f6eae3c069c38d32bbaed532
SHA1ee5a42b64ac3469a794a7810ff6a55b6a2bb4854
SHA2565a9e5c6f4284b4f05c2c9d646b1c4eba657ed7ae1e7b30205ac3e9adedd24eb1
SHA512c1191f02d352028abde9ee1e2f375448c1ad406959fe6808e92b7db1a51f5a21e7b44271aa62dcba4da381ead6c4863a06f3d85af8754a90c8c64a5a44833897
-
Filesize
473KB
MD533ca8bc4ac593027fd3e83ba44be54fc
SHA107e2e129a5b0a694d38ac29bc21f74eda100519f
SHA2562296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236
SHA51205f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61
-
Filesize
76B
MD5e0cb113b19ce53ef7b72edbb0a4937dc
SHA12499a76ad9ec4a44571bfd8083e09b23373f9f69
SHA25603bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6
SHA5120b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca