Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1801s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win11-20240221-en
General
-
Target
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
-
Size
2.0MB
-
MD5
ebae9b70769458cf723022ec89b95c32
-
SHA1
3d3135b87fe274988b86f50d24bde82cc08556bf
-
SHA256
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
-
SHA512
3550c281fc8dcd8078caf6c0cef847280d6ec78216b0e018b01942e82c79499538f3a0553409e3c716edf584ff5c359ce991440bab14d4794f6ae3393788a102
-
SSDEEP
49152:J3osY5A6b4ms+4UhbrMizYiRpb2mN3rm999OhjY:hY5A6bDhbrfzYiRNdm+
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.cmd msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N8G2Q1H0 = "C:\\ProgramData\\3t6lW2r7.R0p\\3t6lW2r7.R0p.exe" 3t6lW2r7.R0p.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 86 3092 MsiExec.exe 92 3092 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3092 MsiExec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{95EF7FD4-ED9D-4B37-867E-EBECFD556EFB} msiexec.exe File opened for modification C:\Windows\Installer\MSI3F2F.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3DB7.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5a3327.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a3327.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI35A8.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 3316 3t6lW2r7.R0p.exe -
Loads dropped DLL 6 IoCs
pid Process 3092 MsiExec.exe 3092 MsiExec.exe 3092 MsiExec.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 msiexec.exe 4720 msiexec.exe 3092 MsiExec.exe 3092 MsiExec.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe 3316 3t6lW2r7.R0p.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 2996 msiexec.exe Token: SeIncreaseQuotaPrivilege 2996 msiexec.exe Token: SeSecurityPrivilege 4720 msiexec.exe Token: SeCreateTokenPrivilege 2996 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2996 msiexec.exe Token: SeLockMemoryPrivilege 2996 msiexec.exe Token: SeIncreaseQuotaPrivilege 2996 msiexec.exe Token: SeMachineAccountPrivilege 2996 msiexec.exe Token: SeTcbPrivilege 2996 msiexec.exe Token: SeSecurityPrivilege 2996 msiexec.exe Token: SeTakeOwnershipPrivilege 2996 msiexec.exe Token: SeLoadDriverPrivilege 2996 msiexec.exe Token: SeSystemProfilePrivilege 2996 msiexec.exe Token: SeSystemtimePrivilege 2996 msiexec.exe Token: SeProfSingleProcessPrivilege 2996 msiexec.exe Token: SeIncBasePriorityPrivilege 2996 msiexec.exe Token: SeCreatePagefilePrivilege 2996 msiexec.exe Token: SeCreatePermanentPrivilege 2996 msiexec.exe Token: SeBackupPrivilege 2996 msiexec.exe Token: SeRestorePrivilege 2996 msiexec.exe Token: SeShutdownPrivilege 2996 msiexec.exe Token: SeDebugPrivilege 2996 msiexec.exe Token: SeAuditPrivilege 2996 msiexec.exe Token: SeSystemEnvironmentPrivilege 2996 msiexec.exe Token: SeChangeNotifyPrivilege 2996 msiexec.exe Token: SeRemoteShutdownPrivilege 2996 msiexec.exe Token: SeUndockPrivilege 2996 msiexec.exe Token: SeSyncAgentPrivilege 2996 msiexec.exe Token: SeEnableDelegationPrivilege 2996 msiexec.exe Token: SeManageVolumePrivilege 2996 msiexec.exe Token: SeImpersonatePrivilege 2996 msiexec.exe Token: SeCreateGlobalPrivilege 2996 msiexec.exe Token: SeBackupPrivilege 3900 vssvc.exe Token: SeRestorePrivilege 3900 vssvc.exe Token: SeAuditPrivilege 3900 vssvc.exe Token: SeBackupPrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe Token: SeBackupPrivilege 4852 srtasks.exe Token: SeRestorePrivilege 4852 srtasks.exe Token: SeSecurityPrivilege 4852 srtasks.exe Token: SeTakeOwnershipPrivilege 4852 srtasks.exe Token: SeBackupPrivilege 4852 srtasks.exe Token: SeRestorePrivilege 4852 srtasks.exe Token: SeSecurityPrivilege 4852 srtasks.exe Token: SeTakeOwnershipPrivilege 4852 srtasks.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe Token: SeRestorePrivilege 4720 msiexec.exe Token: SeTakeOwnershipPrivilege 4720 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2996 msiexec.exe 2996 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4852 4720 msiexec.exe 122 PID 4720 wrote to memory of 4852 4720 msiexec.exe 122 PID 4720 wrote to memory of 3092 4720 msiexec.exe 124 PID 4720 wrote to memory of 3092 4720 msiexec.exe 124 PID 4720 wrote to memory of 3092 4720 msiexec.exe 124 PID 3092 wrote to memory of 3316 3092 MsiExec.exe 129 PID 3092 wrote to memory of 3316 3092 MsiExec.exe 129 PID 3092 wrote to memory of 3316 3092 MsiExec.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2996
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 02F25BF3E3F88DD400D4C495940FF2162⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\ProgramData\3t6lW2r7.R0p\3t6lW2r7.R0p.exe"C:\ProgramData\3t6lW2r7.R0p\3t6lW2r7.R0p.exe"3⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3316
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52a700b44adbd367fdb5848494a63abb8
SHA193b205dbaf7d45114465e58dbd3c7dd4c7a10da6
SHA256681074285d9e34a8f02c571ead752e465b7c8d12427092af6b7eded4757a5579
SHA512bbc83306089dd7236ed0044ea8117f83ddb2c7e536c77e0ac5af74953f8df2dc46d5154a5a8c9d14265f0ee794b879bdc84549dfabea04011bb45d536e00d79e
-
Filesize
97KB
MD5a61faca7411cebd947b4f1e00dba6d08
SHA1fc1b4587990a792c32b113451197354f942b82d5
SHA256db57fbf86c8306809673be5850779b2dcda94bd8c36047840e27175cd30c257a
SHA512463e7da3b042adfcc4fc7bd5a8bf8df44375ec8adc4320dbfffeeb98e6a33c2337991d8e644eabb98c5a87a1e13a3636e9f03e4cad2b72ef23d7c0f5676bcc2b
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
6.4MB
MD5819b7d96f70729cd1ecac2e6508f0180
SHA16db9c4d1c28413e83f65cccfe58791ebf06a32e1
SHA256c472ee8f24fe0c13ab717729233499d1070d2ab1a3d7c8148df809a5134afa6f
SHA5127ef28759b28a74d36c2379be2b78111ed62c3b667f5d44b4440fd8804dfcdcb0c9a0e24fe3c6a92b2512d8b8ac9d270152a49c70f28891d40d7515ee08b64499
-
Filesize
6.7MB
MD5a380d2a0e7a18149b60838bdd3499610
SHA13e291f8904f16739a3b2256b97752d8aed3eebd2
SHA2560d068fc043278d04ef93c424c5455ec33105fc2428246550708fd55a7498a86a
SHA51200fa33528d5e8c2d14b6b1bbd9bd3234435d64c71715e21f236bb4ffaebf9bfebd075e8138a3eaff2837570f0b05c7f76d8c0cde572c339d1e4b5209c0ab9971
-
Filesize
5.6MB
MD561c25c664794ef5a0568df23b87bc143
SHA17902a471a93064b05fa7d765504868d6d0191312
SHA256fc7e3d2b73bd9df285984916b5c8affd5c48278ac7d58f28f5a3eb397558d05a
SHA51245fba47ffef5e308ec7ffa9454036067713c6eb9e48ede7fb884fb795a7f106a7a487115b1d983ea5e2febfb5070a23faa56b421d3c5c0ca47c967c8ad38b5b0
-
Filesize
21KB
MD5d6605d92b5d251937c8b69341b2dbc1f
SHA15ef29e20fa9939d480597b5e52a6708b6261850d
SHA2566512d47fef78993861d19a5824b048c888feff631d95f5f566f4307c23feddf1
SHA512b4738f11a8210227bbc3891f553116dd2c426502d3c08c0f64fddf11adb5f2ddf9a1635d28867c49cabdd14b06349658bb14b0d20eca34977c1165abc72476e1
-
Filesize
1.3MB
MD58ae4a2d24f53985e238309b0fa081449
SHA142bde0530c733c8a5d162249c18388a404c7e6df
SHA2562de3942e7690adafe16c6ae5692d9793466d50a4a41ccc66acdaf51573584357
SHA512124f3242539d0bfbfae6e8ebcfc409bbc0f55e88756813ab858ad807a8aec3383ead7e30559a76973cf008dbc59a594b8712a56dcbc5716eb013bb125b3d427b
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
2.4MB
MD5a414c6140ec572335f5cb2a2d2dd7c18
SHA1707fcdb6b7d48a33e104b895ba8d58f16ccb2d89
SHA256d1cfcae772e29af2d616a4f34eb31c25a93dfeb393a5cb1216d11bcb98588f42
SHA512d93be38a03ec209ed91389a126dbf69c296a41fcd227fb87a6b2a624f98a5c08ff1e9fb2929dbea0cc186eab1201491e7a9ac0640c1ce1233fdede0df1469e1f
-
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a070081d-fdd5-4460-91ce-6a7ba9236a0b}_OnDiskSnapshotProp
Filesize6KB
MD5e538865cf0f8f2c74ce985dd90adfd32
SHA1267c8c46360cdd775d6f59acabc9ba2d5ddf0102
SHA256f759684ae330178658112d428cab1284c1b696917650510bcd3372aedede9e69
SHA512f51b37e324dc252a8d763c2f3e53b447d4ef83b8c06b6475f5c7e41873ed46bde8ebcab4da9245009840628dccf637b1f7924f0411d2be7236eda554d9d2bcf8