61238709fc9ffce58efe7d3cff8fc2495d18682472144f7b4a0f38695c04b34d

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spchapi.exe
Size

824KB
MD5

d421da9b6a100bf58c7c6d585c73ed4c
SHA1

79521256aab1fc5d01a661ed0cdff45a88ab2ace
SHA256

8955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd
SHA512

ca0b75d1a07b125cf3b774483e098a9095d18ee8c1a277a2ff6aeeeef1e1d74a5e55855dbf7f13cc96a82423203ea86336372d48d483dc600d3ead38fe746c60
SSDEEP

12288:Kz/V2AMT1VXCE92eGFj+oOR98ikw/o1FXDoOci+kyYo3gJqr0KHemtRH/d+w2NHf:Kz3yVyEQFIiwQYiBLU0Kt1p2lRIWT

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	Spchapi.exe

Loads dropped DLL 1 IoCs

pid	Process
624	Spchapi.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\speech\SET1104.tmp	Spchapi.exe
File created	C:\Windows\speech\SET113E.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\Vdict.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\XTel.Dll	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1103.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1118.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1129.tmp	Spchapi.exe
File created	C:\Windows\speech\SET112B.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET113D.tmp	Spchapi.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	Spchapi.exe
File opened for modification	C:\Windows\speech\SET10E2.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1105.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\speech.cnt	Spchapi.exe
File created	C:\Windows\speech\SET112C.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET10F3.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1129.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET112A.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\Xlisten.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\Xvoice.dll	Spchapi.exe
File created	C:\Windows\speech\~TMP4352~.TMP	Spchapi.exe
File opened for modification	C:\Windows\speech\vcmshl.dll	Spchapi.exe
File created	C:\Windows\speech\SET112A.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET112B.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\VText.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\spchtel.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\vcauto.tlb	Spchapi.exe
File opened for modification	C:\Windows\INF\spchapi.inf	Spchapi.exe
File created	C:\Windows\speech\SET1103.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1104.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1119.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1105.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\speech.hlp	Spchapi.exe
File opened for modification	C:\Windows\speech\vcmd.exe	Spchapi.exe
File opened for modification	C:\Windows\speech\Xcommand.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\SET112C.tmp	Spchapi.exe
File created	C:\Windows\speech\SET10F3.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1106.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1118.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\WrapSAPI.dll	Spchapi.exe
File opened for modification	C:\Windows\speech\vtxtauto.tlb	Spchapi.exe
File created	C:\Windows\speech\SET1106.tmp	Spchapi.exe
File created	C:\Windows\speech\SET1117.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1119.tmp	Spchapi.exe
File created	C:\Windows\INF\SET115E.tmp	Spchapi.exe
File created	C:\Windows\speech\SET10E2.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET1117.tmp	Spchapi.exe
File opened for modification	C:\Windows\INF\SET115E.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\speech.dll	Spchapi.exe
File created	C:\Windows\speech\SET113D.tmp	Spchapi.exe
File opened for modification	C:\Windows\speech\SET113E.tmp	Spchapi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92655FB1-ADF9-11d1-BEB9-006008317CE8}\InprocServer32\ThreadingModel = "Apartment"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A5-DA1A-11CD-B3CA-00AA0047BA4F}	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{e4963d40-c743-11cd-80e5-00aa003e4b50}\ = "ITTSBufNotifySink"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\TypeLib\ = "{582C2183-4016-11D1-8C55-0060081841DE}"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9BD3860-44DB-101B-90A8-00AA003E4B50}\InprocServer32	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCFD7A60-604D-101B-9926-00AA003CFC2C}	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A4-DA1A-11CD-B3CA-00AA0047BA4F}\ = "ISRGramInsertionGUI"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A02C2CA3-AE50-11cf-833A-00AA00A21A29}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53961A07-459B-11d1-BE77-006008317CE8}\InprocServer32\ThreadingModel = "Apartment"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}\InprocServer32	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9F11A95-90E3-11d0-8D77-00A0C9034A7E}\InprocServer32	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A26D7621-6FA0-11ce-A166-00AA004CD65C}\	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speech.VoiceText.1\Clsid	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05EB6C61-DBAB-11CD-B3CA-00AA0047BA4F}\ = "ISREnumA"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{238004E2-F0C4-11d1-BED9-006008317CE8}\ = "IVDctText2A"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2398E32F-5C6E-11D1-8C65-0060081841DE}\Control\	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD7C2320-3D6D-11b9-C000-FED6CBA3B1A9}\ = "IAudioFile"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53961A08-459B-11d1-BE77-006008317CE8}\InprocServer32\ThreadingModel = "Apartment"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\Insertable	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A26D7621-6FA0-11ce-A166-00AA004CD65C}\1.0\ = "Voice Command Object Library"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A8D6140-E095-11cd-A166-00AA004CD65C}\ProxyStubClsid32	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A4-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{599F77E1-E42E-11d1-BED8-006008317CE8}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88AD7DC0-67D5-11cf-9B8B-08005AFC3A41}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}f	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3CC0820-604D-101B-9926-00AA003CFC2C}\ProxyStubClsid32	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05EB6C65-DBAB-11CD-B3CA-00AA0047BA4F}\ = "ISRGramDictationA"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A9-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05EB6C68-DBAB-11CD-B3CA-00AA0047BA4F}\ = "ISRResGraphA"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8763AFD2-7ADE-11d1-BEA7-006008317CE8}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D67C0280-C743-11cd-80E5-00AA003E4B50}\InprocServer32	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9AD-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05EB6C6D-DBAB-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\Insertable	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EFD0E6BA-DB5F-11d0-8FAC-08002BE4E62A}\InprocServer32\ = "C:\\Windows\\speech\\Speech.dll"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3613DA0-E26E-11d0-8FAC-08002BE4E62A}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9F11A95-90E3-11d0-8D77-00A0C9034A7E}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E97F05C1-81B3-11ce-B763-00AA004CD65C}	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90A84EA0-6E51-11D0-9BC2-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89F70C30-8636-11ce-B763-00AA004CD65C}\ = "Speech Recognition Enumerator/Share Object"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9D18BF8-E0ED-11d0-AB8B-08002BE4E3B7}\InprocServer32\ = "C:\\Windows\\speech\\SpchTel.dll"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE39B8A0-6053-101B-9926-00AA003CFC2C}\ = "IVCmdDialogsW"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9B0-DA1A-11CD-B3CA-00AA0047BA4F}\ = "ISRNotifySink"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B445336-E39F-11d1-BED7-006008317CE8}	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D40D820-0BA7-11ce-A166-00AA004CD65C}\LocalServer32\ = "C:\\Windows\\speech\\vcmd.exe"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F6FA20-E095-11cd-A166-00AA004CD65C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B445331-E39F-11d1-BED7-006008317CE8}\ProxyStubClsid32	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B837B20-4A47-101B-931A-00AA0047BA4F}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\ProgId	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}\MiscStatus\1\ = "131473"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53961A05-459B-11d1-BE77-006008317CE8}	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2398E321-5C6E-11D1-8C65-0060081841DE}\1.0\0	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80B25CC0-5540-11b9-C000-5611722E1D15}	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E0DCC220-604D-101B-9926-00AA003CFC2C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05EB6C68-DBAB-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E97F05C0-81B3-11ce-B763-00AA004CD65C}\ = "IEnumSRShareW"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90A84EA1-6E51-11D0-9BC2-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66523042-35FE-11D1-8C4D-0060081841DE}\Version	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A3-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	Spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{090CD9A2-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35522CA0-67CE-11cf-9B8B-08005AFC3A41}\ = "Voice Dictation Manager"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF2C7A50-78F9-11ce-B762-00AA004CD65C}\ = "IVTxtAuto"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D62B3A0-6893-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	Spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A26D7622-6FA0-11ce-A166-00AA004CD65C}\TypeLib\ = "{A26D7621-6FA0-11ce-A166-00AA004CD65C}"	Spchapi.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe
Token: SeRestorePrivilege	624	Spchapi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28
PID 624 wrote to memory of 2956	624	Spchapi.exe	28

C:\Users\Admin\AppData\Local\Temp\Spchapi.exe
"C:\Users\Admin\AppData\Local\Temp\Spchapi.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\grpconv.exe
  grpconv.exe -o
  2⤵
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSVCRT.DLL

Filesize
260KB

MD5
63da4613383ec70e047b4cd5c48f0b05

SHA1
578dd3ee844678c24c0831b6cc61a7dfae410bdc

SHA256
d4287ab5e4988dfe99bd54243d50dbe8744094f11fe5f9809a1a6fb9728c2124

SHA512
0fe7226cba7984f22367d03dafe568e8c0e44956a831fda93d4bd8ad9cbc9ee87dc03e4a56696c0bb0e5f8ec27a304c06cdb56c52d87263362359523f0a220a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPCHAPI.INF

Filesize
57KB

MD5
b00f1393bf87560945b6b38425998a79

SHA1
2fe00a212f952f7e4a53d53880ac90ef8d8c32e5

SHA256
9e7e55b61d3619729829b263e0af2320223c7eda74eadb2644c63d728405c86b

SHA512
854222c8d68ac0d556fe0fb4e1bbcdccde963bf1fe82c1689dd86439a519d8afb5c9db7bca4939fbde011dd4c84c09610b779adc64a18f0caaa57783ce29c7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPCHTEL.DLL

Filesize
243KB

MD5
c546b50be180b4f7810fd78c7fe8433f

SHA1
d7b071eaff8d0498724c1e779731db51e41c900c

SHA256
ea6b0454ac40794ce46a6fd8fd244179cfe76293b18cdb52f02b372dc0f64d1d

SHA512
34ef3830a489510b42dbe0b084d3e688f7558ad2f806e344b760d5e25744763792ca52a664c312a47417cf629a74ddec302f47eed813e76316ae2e5aaaf6612d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPEECH.CNT

Filesize
207B

MD5
4653630ff6f8405f6d26000802e638ac

SHA1
3e6978815d5e0465c7ec557a2da4c253fe89427d

SHA256
51d0efea836528cb137914a6dd77f049cf0457245fdfd608c3936605adb11c57

SHA512
961db65e440dd831f2b490d4c80f306047e65cc0ef6f1c921a732b89a11b289b84e8556d4711ab9af0821cb01f4cb84f8ceccd51865448f93a28f5a02678805d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPEECH.DLL

Filesize
549KB

MD5
898fc91bf6424f629e933273b6e46ffd

SHA1
2c777a8cb7f6e9a469f6d6486c98e70414949acd

SHA256
171d545ca7d10188875fcf103b664be2195996bbed2bd4dacfa8cfe827f1a441

SHA512
de7815a04cbddcff2c2ebef4c6d441936314924f6bdce3b3fb4a8bd4b62b761c7dbb3b99a12deb45b23b186f42a431d67b43fb9950f3d447ee9f721bf6cf6ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SPEECH.HLP

Filesize
13KB

MD5
a7db03e26dd567b3ec5804d5064c738c

SHA1
37abaf849e1cbc0eacd545c19e7ad81d947c113a

SHA256
56dbafcfa4a628fcd20e49bf169115bafe596104f8dd51d2aac8d7cabb452c3a

SHA512
d7f033695ac098a07f6d7cd00f0bee86bd581d3ab9b8f4b5073337fcb1277b5a49a99ea7d65819587ce2d807e0652c7ea0d98524f1cc934be64776c25d2daee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCAUTO.TLB

Filesize
7KB

MD5
695b08aa62b0dd9031fafcc1bb2a16d6

SHA1
1b151114b4f1fff8b3ddac92f4e8b3de2cc02ff3

SHA256
0e74c1dcbcb38daeb9d505b94f74b32ad8d37e8a26ef4022d46999eb3727720d

SHA512
f0a816783fe19a740c50cef76f5747ba19f86fbb41ee95d53c234f0bdb1e28e7d9badf55fef6e7e8e1b9d1d656ef5c4f5d59baa418fe6968e42a083963b3f128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCMD.EXE

Filesize
372KB

MD5
367351856db877b6c659dc42dbc89df0

SHA1
6725fba6e42487929f75c59fddf44c8d090a50e5

SHA256
6b2c21142bbb3050101606f05956a60dbe04f971bd8034d918731f8e9450cd35

SHA512
2c5ea481d64203751fa059bbf54e17a826df8a89d73d923dc4c5a68a0c25687cc3d74e511cd740eb801c6210c18a51bf268d3dfb9648a83eed137bd384640634

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCMSHL.DLL

Filesize
152KB

MD5
2f8c18e8e067f6b84bf8c6c482862a70

SHA1
1c350c5a4674115cb8ba5620ec61fbebcd8fe974

SHA256
437ae2139661f2fb5fd97b34ee751521db477ee8c3454c920c5480020aaf94f8

SHA512
1a5a4d6064cfa35106c865661249d1023ab777b1c216c34dc0e86df435338cf1f8d8589fb567d34956e71a607db4aa8ce43039f42d5fa3ddd0c68506064588e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VDICT.DLL

Filesize
175KB

MD5
6dc843c473b68ea93202a32b6445c765

SHA1
3616292d1b84b9273471af195927d422d7fb9394

SHA256
08b35a07bf0dd5b231f7b25aa48476a7f78c9fca7a76c047103025d1a95952fd

SHA512
77623c61303b1f5fafb5d5af3e1d409af37ed3bd8c8c8bdf83206f2b5ba248553758696cf16835299f2267265689ce0fcb8564cf6823074257ce6964ac0bd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VTEXT.DLL

Filesize
169KB

MD5
c0a7306a302dd35145a37286dcfe6e04

SHA1
beba434997c5f60e988bd98928c13273996cb516

SHA256
b7a0114e8bd9875e98fa6c98215d3b4582e0d1eae9b799b912145e88095ee815

SHA512
ada43188cbf3d877ed055fc4a7395482a7a0adff6268880685b450f2f79c081aa8499f4770cd70c70c146002ac7fd516421202e275a71568872b879d0696d80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VTXTAUTO.TLB

Filesize
6KB

MD5
283c7d582752fc0c025421fca7b7e1d0

SHA1
ee6149b8023ec61b18b098ec3e37648c610c51a3

SHA256
544b33cf240a425cccc910269c68b99b411b2374571ab8af51a490f9cc277f77

SHA512
844a6689000afc5fa724e1e1fbd4e4efc6ba6f67a4c5d2ef88c0c963feb5f9cbc62779affc11c318bef4b049a77d6818b0b2f8fd0c85cd14e6ae7414885b482f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WRAPSAPI.DLL

Filesize
52KB

MD5
8ccb0967e7371d64933fca913065789f

SHA1
63173da8984611aca496a253dba336af23aeb558

SHA256
8e0a80b885a73c8b62e87ab7f2a4b06a556b4db37a1fba9b37db2629f4c36a49

SHA512
9064f27f70b7a4e48dd9fac1954060fbdb5d5b35355f7be5c8a1221cc931ef20df7e4543b28e4416f86ed0c56b6a2a204d78db4c70e298bd29db5ccab2349d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XCOMMAND.DLL

Filesize
125KB

MD5
198c46362e9e7742f7efafd936624bed

SHA1
87b628c2a14a1c5897fd0281a682e9bdcb32bfcc

SHA256
0bd009b376f9ee2c2cea181adc0014c6c9ba91a4eaf7a3b98441a1696d302e89

SHA512
8c747cb697294df0daf092c8f139ffd18c92a098b1b709359739644029b5523d6b5d9ac80d11e1a4fe885ad13fe8a810222d6d609997b722ae0908421f9168a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XLISTEN.DLL

Filesize
204KB

MD5
ce7367a398dd2d0f77041316906114fb

SHA1
128bbde9b589b94f88ae9799043b3c05fdc73990

SHA256
287fec5f90f973a5aa4100bdbca1c9cbb0e242f908d218b975b9623ea25f9393

SHA512
a5151b5ff83ed72288e76e9f7637ea83746e61a2d9b13476cec6ddbb072c36b4c5929c40dd0c39a600338a9d8c4a5bebad304b0d29d9f4050a67ec2e894b8519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XTEL.DLL

Filesize
199KB

MD5
69c2b85b9db59f7ad8d04e6dbfbde511

SHA1
4547a87c80b3ff9e2a148f7c0822c2495240aa5c

SHA256
c32846fab920f5da84005aa169ff259c54a3b9504faabc52f2f53d240ed2418e

SHA512
e677a28a20b4b481d87cd2007dfc3d6f8b88dcd0cdf25df988a43b8480458a37c145ecb8a9ff48ae41586fb571230e79208ba7baf74dd27b78d93412fbe1ea11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XVOICE.DLL

Filesize
191KB

MD5
06201e3ce75755e5eb4138a0a3e1925b

SHA1
05296f4e2774b9c3270365bf19304bf28e13fd51

SHA256
2bb50939fa7068791eea58c1fe6b112bcf5bb423ca55b9698411957a6f82d1b8

SHA512
0bdd01a7f42a3b6de0ca094d55d79437897e2f329751735097d2b7c4ed07792ba81c07544ec9a1f8c89a9472b57b3067dc204bd773721ab8398637949ae74d77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads