Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe
Resource
win7-20240903-en
General
-
Target
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe
-
Size
69KB
-
MD5
2b6f4b3339f021aca6c7293eabd7bc8e
-
SHA1
ce121199f23bd4dffbeb1d5a9df39c33a6991d05
-
SHA256
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7
-
SHA512
57cb72b8c96e9def049ae689447355d7234fe6faca5bc11a62b70e74f3fa45e8b4a73f5cb25d90caee1e81ae72a125a2802b566756767d3cd2e68a06e3fe61af
-
SSDEEP
1536:rAlWyGTYr+zEexLh9ixAFibDvmtkxHmsIY:py2lFX8bDetkxHDR
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 1168 powershell.exe 4736 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exeGAStart.exeGuidoAusili.exeGAStart.exeGuidoAusili.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation GAStart.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation GuidoAusili.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation GAStart.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation GuidoAusili.exe -
Executes dropped EXE 6 IoCs
Processes:
GAStart.exeGuidoAusili.exeGAStart.exeGuidoAusili.exeGAStart.exeGABack.exepid Process 4944 GAStart.exe 3240 GuidoAusili.exe 1456 GAStart.exe 4828 GuidoAusili.exe 3844 GAStart.exe 1456 GABack.exe -
Loads dropped DLL 14 IoCs
Processes:
GuidoAusili.exepid Process 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exeGAStart.exeGuidoAusili.exeGAStart.exepowershell.exeGAStart.exeGuidoAusili.exetaskkill.exepowershell.exeGABack.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAStart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAStart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAStart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GABack.exe -
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
GuidoAusili.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM GuidoAusili.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASSGUID GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A GuidoAusili.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASS GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM GuidoAusili.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASS GuidoAusili.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASS GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASSGUID GuidoAusili.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASSGUID GuidoAusili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASSGUID GuidoAusili.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASS GuidoAusili.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A GuidoAusili.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A GuidoAusili.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4352 taskkill.exe -
Modifies registry class 7 IoCs
Processes:
GuidoAusili.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open GuidoAusili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command GuidoAusili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command\ = "\"C:\\WinGuido\\GuidoAusili\\GuidoAusili.exe\" \"%1\"" GuidoAusili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili GuidoAusili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\ = "URL:GuidoAusili Protocol" GuidoAusili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\URL Protocol GuidoAusili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell GuidoAusili.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exeGAStart.exeGuidoAusili.exeGAStart.exeGuidoAusili.exepowershell.exepowershell.exeGABack.exepid Process 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 4944 GAStart.exe 4944 GAStart.exe 3240 GuidoAusili.exe 3240 GuidoAusili.exe 3240 GuidoAusili.exe 1456 GAStart.exe 1456 GAStart.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 4828 GuidoAusili.exe 1168 powershell.exe 4736 powershell.exe 1456 GABack.exe 1456 GABack.exe 1168 powershell.exe 4736 powershell.exe 4828 GuidoAusili.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exeGAStart.exeGuidoAusili.exeGAStart.exeGuidoAusili.exetaskkill.exeAUDIODG.EXEpowershell.exepowershell.exeGABack.exedescription pid Process Token: SeDebugPrivilege 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe Token: SeDebugPrivilege 4944 GAStart.exe Token: SeDebugPrivilege 3240 GuidoAusili.exe Token: SeDebugPrivilege 1456 GAStart.exe Token: SeDebugPrivilege 4828 GuidoAusili.exe Token: SeDebugPrivilege 4352 taskkill.exe Token: 33 1292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1292 AUDIODG.EXE Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 1456 GABack.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
GuidoAusili.exepid Process 4828 GuidoAusili.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exeGAStart.exeGuidoAusili.exeGAStart.exeGuidoAusili.exedescription pid Process procid_target PID 4528 wrote to memory of 4944 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 85 PID 4528 wrote to memory of 4944 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 85 PID 4528 wrote to memory of 4944 4528 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe 85 PID 4944 wrote to memory of 3240 4944 GAStart.exe 88 PID 4944 wrote to memory of 3240 4944 GAStart.exe 88 PID 4944 wrote to memory of 3240 4944 GAStart.exe 88 PID 3240 wrote to memory of 1456 3240 GuidoAusili.exe 94 PID 3240 wrote to memory of 1456 3240 GuidoAusili.exe 94 PID 3240 wrote to memory of 1456 3240 GuidoAusili.exe 94 PID 1456 wrote to memory of 4828 1456 GAStart.exe 95 PID 1456 wrote to memory of 4828 1456 GAStart.exe 95 PID 1456 wrote to memory of 4828 1456 GAStart.exe 95 PID 4828 wrote to memory of 4352 4828 GuidoAusili.exe 104 PID 4828 wrote to memory of 4352 4828 GuidoAusili.exe 104 PID 4828 wrote to memory of 4352 4828 GuidoAusili.exe 104 PID 4828 wrote to memory of 3844 4828 GuidoAusili.exe 106 PID 4828 wrote to memory of 3844 4828 GuidoAusili.exe 106 PID 4828 wrote to memory of 3844 4828 GuidoAusili.exe 106 PID 4828 wrote to memory of 1168 4828 GuidoAusili.exe 110 PID 4828 wrote to memory of 1168 4828 GuidoAusili.exe 110 PID 4828 wrote to memory of 1168 4828 GuidoAusili.exe 110 PID 4828 wrote to memory of 4736 4828 GuidoAusili.exe 112 PID 4828 wrote to memory of 4736 4828 GuidoAusili.exe 112 PID 4828 wrote to memory of 4736 4828 GuidoAusili.exe 112 PID 4828 wrote to memory of 1456 4828 GuidoAusili.exe 114 PID 4828 wrote to memory of 1456 4828 GuidoAusili.exe 114 PID 4828 wrote to memory of 1456 4828 GuidoAusili.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\WinGuido\GuidoAusili\GAStart.exe"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\WinGuido\GuidoAusili\GuidoAusili.exe"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT1 GASTARTCOUNT13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\WinGuido\GuidoAusili\GAStart.exe"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT24⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\WinGuido\GuidoAusili\GuidoAusili.exe"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT2 GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT25⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\WinGuido\GuidoAusili\GAStart.exe"C:\WinGuido\GuidoAusili\GAStart.exe" CHECK GASTARTCOUNT36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\GuidoAusili"""6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\"""6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\WinGuido\GuidoAusili\GABack.exe"C:\WinGuido\GuidoAusili\GABack.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:1980
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x1501⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53bd24c67b3fd63ec5c6660c1f81089ba
SHA101a2ef2c0f615802a971546767c066b4bebb07e6
SHA25686fe0bb2d64aecddb95d30c2fc51432123a56e3f159b5450d05e141ab8c14c01
SHA5122c4be4202092df963dab3de3f963c0c4bf1894ea561c61d33027a274ffc1dff3bebfe3fe0d59cc8a4bbdb1f489f99664172f21ad9d97a91acc6ab00b0ad91325
-
Filesize
1KB
MD53ecbe9f7edb535445e6660f6829305b4
SHA1fb338eb12b6957a6293bd95bdf2825d8ff9acac9
SHA256a544980d23f5b61bfdf809668cc605fc81be8e0cbfc0ec1c602fe548c2df73c5
SHA512f1461c5d2863e614db2254379670e122c7d923bf54622b11bd61d7fc919cfa7136c29621bacebe2f316b9955bfa4ee271d3d099d653f05802649ebb16a1f7b6e
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD570210e9bc08f6cb2a192ba8b6a232c0d
SHA1fcb984dc65dbd12601e13a1269ec78e9fca5dc7c
SHA256372baa4e8f861f72412e9316a7da4a6ddb29a3903d57cb2a4ae0baaa9f846c2e
SHA512179f9b7985d16bac312b2e6b785e92e602280303c682becf7efd9edf357e383a8f8b53a248b937fb39ca9c91509a012ca2fe72aa296ba589af471118849d84a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_2E6507A487AB43D2B3AA646F069653CD.dat
Filesize940B
MD504139835f281a15b81b1bc9a5c2170a2
SHA1ae89a9765ff3a0f6e163d974da691fdb1fba1945
SHA256637650251f7e2f02b6674ce28354a27780bef7f95d31c687af257ec1429cc64f
SHA51211a7dc68a911e86012dc30541f4a23e8bc0b6c470af34be59d67541488cd685f60c008af27f2fbbd3e05f56537c81f11c1e4977061d83b596fa61b2876ac46e3
-
Filesize
124KB
MD5d3049bfab186cd87c5e25c041a2e39e5
SHA1eb136d8fb0488878d6646eea3d65ce62cd5eb668
SHA2568bdbea0849298df7842c1a5cd92b500d10e94306322ea52eaa1f98ed40516638
SHA51205378a294e5a29def2b0f11983d9a0b30de58fd4897065de654528ffd59822e5c279bd0557e478bb404a19c41a4fc9443b557030231a8b5934af77a180ab229b
-
Filesize
128B
MD5e8a60e3ade1f90f23925f900eb179da2
SHA15ccc36c7cf3ff8256e09afe9d056b523916c47c8
SHA256d830321397349076f39584138b5995e2768ac0842bf561650c089e3adf02badd
SHA51281e79d1669db9cc1ac9fd5a8edeac573e14f4f095fc1f897da8c9a04e97efbc4234715f1f66dc4ba400c153fc950408eabeec176014f1f52f030fe76f7493643
-
Filesize
161KB
MD5acdba8c5d8662aba0145c46f6f5c839a
SHA1857668c82e9235f081b777964068053562c15399
SHA256644b40f1191fc88889ddafe2b286e0f74c647b94d1e98d1799de81c6eebb9ece
SHA512899d9bba82d412a12906d9e518192159039e31be887301ad678ad21ce35ddbc2b027dd24db79abb9c64c3d839c9ffd9828ea675208ec6ed7135ddbb974b9d152
-
Filesize
23KB
MD5a2e0cc453f3f9b0eda6fec6051121995
SHA1c9cfe8f2dc243df4dbd8aefe7d325af28fd03dd6
SHA256d40f06f1dd15ee7f18e8af277d09326c36667b03916f2548e899a8b57e6bbffe
SHA5121464410bee02d4798d4167ebc57fd1a98baaeb3cbff8a50babd348fa128c9315d5798e740ec61b83a1db49b0642c134a55dd86a81553a892b079b8dec2fd0e2c
-
Filesize
439KB
MD58ba5872919caa6c2812e7881f1d18414
SHA1acc4c455452d67170d6b89e572cfdb1e098b9a85
SHA256eb745145c55cb5d3b6d1ba17a2dbfd9ceeda3125c211dbd90773277e1f24bf49
SHA5126b571fce97e2fd26ab7cf223ebe8d56f557863c45228f4e26002c7e8ee77eabae3a2debd138673e5307391333e65180d748bff20939ec8271c2c8924cf78d50c
-
Filesize
2.1MB
MD5590afabdd9574b338516934d48ed9668
SHA105ea3c1c1131f7a898e7c6345c9dee3dfd37d8b4
SHA256c1879a9d03a82e61e7741fcd737312b19d266fec9d7257b086ee5de499bbb726
SHA5120d55966f07c90e445c18d43dcaf7736e9e84e3f566313b321689ff65f8288591552c176f857c7dae2b1fc2b5ad9e92aafc3c9c55194a520c63f903eef8c7e2cb
-
Filesize
191KB
MD5e6e4f87c1828e67d5c5bcf778f1ad70e
SHA1004ce674fb7ba50d2a3fa8fd600ffa7020150879
SHA25637da3f7d024777426bbc5ccd882cadd0050c6296f513023b9f3c91a946d0c1b3
SHA512e6eb06efcafd78d0ce9743a3ff001e9c0ed9b5057ffd313a38828315b94e8d440441ddb6d32fc55988e33f0f76480ec72d26f6fc66307a115ad0ac0c8164ffb5
-
Filesize
28KB
MD5177b1771a219d51bae8f6af2302ec2f0
SHA194a63a825ffde6f0162c5bf284fa7e87c118dbac
SHA2568809840e6781e023dd8f7b725236780cf824690ca89301e4ef8b2d17e1297031
SHA512c49b0b643e684bb0bad07ae8b395f6beaa1b0bcedcff16eeccccafe934da922cd710ae7bb45cafaea1a1ff891de57983cd6e52395b20b120527d97296d539a9b
-
Filesize
60B
MD568fe99ba82113d56be2d7771ddf122de
SHA128744137b5aaba539bf1722051b496ba1a2bcad1
SHA256d31982219c247eaf362e75b4b35bed6149648d4ff96cfc5a6d2069069e1541c7
SHA512b24542c437c41fcbcbb66a49db33fc38d989b6445c208456628c00c45c9dc92611e2c5b0647fe6c9f12cf8ce3668619392e606ea36a6dd614de4d74efd6e6e47
-
Filesize
69KB
MD565649c35f341359276e5a284146a4d4e
SHA14392be1b7fb3cf6ea46e12f025cc0af00b12e49d
SHA256c1534cc27b181b0c684daaa68ee12d418af940d5aa3b1b181d734e4e64a7358d
SHA512ce24442fff5f962e1745043b87a89f6869ee8584f641aec2b62e989460668ed9017a8054ade36df6f83f2ec9d39fa10ac7fce4dbde551c086fff7676775e00aa
-
Filesize
4KB
MD55abf0e7c37e411a9dab0813df83b4158
SHA160ed29c7a91d54c4edbdfb4b957e91661abd9cd5
SHA256d4385462ab483a473d84c563762ebd688b6fb53f10e9ad3f62d3c6199b3ea455
SHA512cc8e28c13bdb7e56371963937c48b593cfaefcbf1a0c8b3f7ddc2696013312afbf34909fe6c1b88702c44f42cd9dd361f226c15e0c6b69cb2be743c08399f618
-
Filesize
23KB
MD5dbd8bc6438e1011ca1b796c7a9c78d78
SHA19184d63d8335efecf3ea02845fd1f027e7edaa0a
SHA256280fdcaf69c8f7145446c8bc342fa4a0c7ff0abfed111c5f72b520f479fde785
SHA5121536aa27db27c9ad52c4f5fcd5acd584a520afeb2bb30aaeca03682b3737fa7820fe0eb1d7a2e0951202e5383287edf8539b0939d2587a741729ab19c8f281f3
-
Filesize
1KB
MD51ed5cc20071980ddc2f081af4d3be0a5
SHA1548d12c8abf3a0b696487087fc2b370f52de455d
SHA25618eac85da718d515287d97da93589d03acd793843b6256d27701992c66c8cc13
SHA51257178babb9a98139e2954fcc9db0cf5b8b8871bb00747a9f3c827c0ed9293abe1c09a359575a3f28e2c2f8d092c808434640f01402bcca489d3916cb1b291495
-
Filesize
108KB
MD5bf7c061d396c1399ec1446540d5221cc
SHA1d5f356cd39d09ab737ab255f82e0e0c24ba891a0
SHA256eb245fff873becd30b79260cac031d1c58bf93c6e7aa5a76d6bfac6cd1bcb411
SHA512acdb828afabc41d54e5fed2737381b1ffd365783c293ba2a9cd0c3f8c41a6b537fee3e1d02c06a0513475570a313ce923bfb76e0b6f5fd46ecdea44a991e66e6
-
Filesize
80KB
MD5acf8a82427e1a19c15c0cc8ecf02d22c
SHA1e1c5dcf600940dc5f418865b55a42a6b3c33d91c
SHA2562226d189eed45887409670dbcfbfe5dc7f64b380f67e566123133166a4ac9754
SHA51235df4a06036db2e4f49366852d193d31ee7d90ddd79c8c5f6723577674e7edb1f8046b15235d126f51baa33135f7fc4c6c76745a1ce70a848b41c275dc9f67f7
-
Filesize
23KB
MD5563247eb3b6d2000b27cfaefe76d7393
SHA174460b9ccde7358dd50e6738009ebc67ad4dcc54
SHA2568b8fbc194d4fad9454fd1c67dc9ce1374eb1027d4e22456577baa1e0f489d068
SHA512da5ffc901dc4f267cdf53f912db5aab0707c56fc1e6eb86f73ecc94b99babfbc9fddff97827b9c0b860d7d40a320374b764aade4b794fd01b7d891ff5b66b85e
-
Filesize
236KB
MD5b92eff9243f63eec5fb5675b30a0f324
SHA16b2a4b228c161bb92785e0e5a47f5bc9db2af44e
SHA256356f6361960ad64834f87341aa3d14cde392e5ca6548ef906ecea01591d71cac
SHA512aa66c5e9686dc146499fcb8277ca86c8058fd9f2c03ca2700aef8a12d960cd3dca92a8e0c1b0165e3e508c7fc7848900b40ecbb11a9a495909ba88b0e0179097
-
Filesize
51KB
MD51734919e44bc6924d99b3dc03d6afbcb
SHA177147382584151a0676b67ca47f4b27c022d2080
SHA2569ced3f4811e31d71f12ebc72f94f046ef1f6fe9a15785ecc1b6635355cdec637
SHA512ad7675206b7c00ab0ecd55d70b2039d7c22da4738fc111988ed8ec0546881bcc47066a400dc627846795d00bc394b2f1e59ad6c09ca6727b6102d4c4e65fc5e9
-
Filesize
304KB
MD50fbd8fdcc7bc662e4a9c8d57a9910170
SHA10a9ce715771a5b67ab4e2a70409195fd0f9dcd1d
SHA256d6cd7483f0613d84466ee23aece16d872a065dc1ae61471f788fb7eaab97972d
SHA512da3a5bdf1f7b96e1cd327acde2ac9deb43ad2cd904776e91c8e9d65460ebbce8d00a022f8e64ffcaa3ba0df82302fe1cfd6d92cefec04c3f8721b428d0631f77