87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ta4073.exe
Size

25.8MB
MD5

15ecc8ba9811b8e5bd9d868b213a2182
SHA1

b221004e3ac301e686a02f9c7667cf2c85276c65
SHA256

87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8
SHA512

88d1518444f53b1a555ab52b97821ac594a2b6f3c78acb8c04798e26d1c5b3eb84af86e5707f45cfc61bf147de05a7e9eab9bc7e406c79290bb4692174012fd5
SSDEEP

786432:xkCG+BZo4femcZvQEqe1aecl5OzvUme1g6fJ3t:xk+BZo4fexQyvcl5OzAfh9

Score

7^/10

aspackv2 discovery persistence privilege_escalation

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001925d-252.dat	aspack_v212_v242

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TextAloud\is-FIC5T.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-TPEE5.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-7EIDC.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-3JH3O.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-CMEBG.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-FFR2M.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-R7AP6.tmp	NextUpTA4Installer.tmp
File opened for modification	C:\Program Files (x86)\TextAloud\unins000.dat	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-8I2V7.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-OBPMO.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-MVT2M.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-REHMO.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-2N3QV.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-UHNB8.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-F4BIS.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-9AO7K.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-G5MG1.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-T73OI.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-K8EJD.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-SR2TC.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-0MCQM.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-AO549.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-78KBP.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-TR9Q4.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-I2SCG.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-JVBGL.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-ABF1P.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-S5V5M.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-89L50.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-RDH0S.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-OQ4OB.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-RINFV.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-P1IGK.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-F6OAT.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-2MIOJ.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-76FIE.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-5FB24.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-74QTO.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-M8IA0.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-4T4H3.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-VU81D.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-EDTDV.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-AVOVM.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-T0H3U.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-N2O06.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-MSSTJ.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-CP9GO.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-N9U85.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-88A7B.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-D0H73.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-C8OFL.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-FGVVL.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-0E6GK.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-C4Q9O.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-A88B3.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-AHNN9.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-EBM6C.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-UR4OE.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-JUSB9.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\is-4MRHJ.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-1ORCP.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-60CCD.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Sounds\is-1IQPA.tmp	NextUpTA4Installer.tmp
File created	C:\Program Files (x86)\TextAloud\Styles\is-TPCPK.tmp	NextUpTA4Installer.tmp

Executes dropped EXE 12 IoCs

pid	Process
2888	NextUpTA4Installer.exe
2712	NextUpTA4Installer.tmp
2664	AppCloser1.exe
2564	AppCloser1.exe
2668	AppCloser1.exe
2540	AppCloser1.exe
2736	TextAloudMP3.exe
484	TAChromeMsgHost.exe
1676	TAChromeMsgHost.exe
1312	TAForIEBroker.exe
1472	TextAloudPocketAuthorization.exe
2384	TextAloudMP3.exe

Loads dropped DLL 46 IoCs

pid	Process
3068	ta4073.exe
2888	NextUpTA4Installer.exe
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
696	regsvr32.exe
1860	regsvr32.exe
1792	regsvr32.exe
1988	regsvr32.exe
1572	regsvr32.exe
1696	regsvr32.exe
2456	regsvr32.exe
2456	regsvr32.exe
1836	regsvr32.exe
2844	regsvr32.exe
1276	regsvr32.exe
3068	regsvr32.exe
2688	regsvr32.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1660	taskkill.exe
2976	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\Policy = "3"	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}	TAForIEBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\Policy = "3"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppName = "TextAloudMP3.exe"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppPath = "C:\\Program Files (x86)\\TextAloud"	TAForIEBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\Policy = "3"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\AppPath = "C:\\Program Files (x86)\\TextAloud\\"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppName = "TAForIEBroker.exe"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppPath = "C:\\Program Files (x86)\\TextAloud"	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\AppName = "TextAloudMP3.exe"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppPath = "C:\\Program Files (x86)\\TextAloud"	TAForIEBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\Policy = "3"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppName = "TAForIEBroker.exe"	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppName = "TextAloudMP3.exe"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppPath = "C:\\Program Files (x86)\\TextAloud"	TAForIEBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\Policy = "3"	TAForIEBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Simpleaudio.SpAudioPlug\ = "SpAudioPlug Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\TypeLib\ = "{2FE9453A-0FF7-4AE7-B607-7924B07F2E9A}"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE57AA69-5C5C-4223-9F22-D85BFF11D870}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForOutlook.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC96622A-3955-499E-9E8E-6BDAA6CCA035}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TAForOutlook.TAOutlookAddin\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TAForIEBroker4.TABroker4\Clsid\ = "{53606CF2-ED18-420B-81D4-D22ADF70130C}"	TAForIEBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TAForWord.TAForWordCoClass\ = "TAForWordCoClass Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\TypeLib\Version = "1.0"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ADB43CA-06D0-48F9-8268-86C81C1FB7B0}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Simpleaudio.SpAudioPlug.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D}	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PocketTextAloud.Application\shell\open\command	TextAloudPocketAuthorization.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{36c8e589-881d-48b6-a7c1-ca869abae88a}\Control	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\TypeLib	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\TypeLib	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921F5D84-1FC1-4867-A252-B31E97A29139}\ProgID\ = "Sapi5Audio.SpAudioPlug.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526}\4.0\FLAGS\ = "0"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\ = "ITABroadcastEvents"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForWord.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\TypeLib	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D}\LocalServer32\ = "C:\\Program Files (x86)\\TextAloud\\TextAloudMP3.exe"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC96622A-3955-499E-9E8E-6BDAA6CCA035}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE57AA69-5C5C-4223-9F22-D85BFF11D870}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForOutlook64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ADB43CA-06D0-48F9-8268-86C81C1FB7B0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526}	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C7D405F-4068-40C1-9F62-F0419199EEBF}\ = "ITABroadcast"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F91DAB-4A3D-4CA3-B695-E25577138B2B}\LocalServer32\ = "C:\\PROGRA~2\\TEXTAL~1\\TEXTAL~1.EXE"	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TAForOutlook.TAOutlookAddin\ = "CoTAForOutlook Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C}\LocalServer32\ = "C:\\Program Files (x86)\\TextAloud\\TAForIEBroker.exe"	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PocketTextAloud.Application\ = "TextAloud Pocket Protocol"	TextAloudPocketAuthorization.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\ProxyStubClsid32	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\Clsid	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TextAloudIntf_4\Clsid\ = "{8F8FD037-19C8-4142-B0D4-E69406F4913D}"	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C}	TAForIEBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\ = "TAForWordCoClass Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\Clsid\ = "{28F91DAB-4A3D-4CA3-B695-E25577138B2B}"	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D}\LocalServer32	TextAloudMP3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C}\Version	TAForIEBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526}\4.0\HELPDIR\ = "C:\\Program Files (x86)\\TextAloud\\"	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73971CFE-F35F-4D44-A3B3-617F1F92B004}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C7D405F-4068-40C1-9F62-F0419199EEBF}\ProxyStubClsid32	TextAloudMP3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}	TextAloudMP3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2384	TextAloudMP3.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2736	TextAloudMP3.exe
Token: SeDebugPrivilege	2384	TextAloudMP3.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2712	NextUpTA4Installer.tmp
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2736	TextAloudMP3.exe
2736	TextAloudMP3.exe
2384	TextAloudMP3.exe
2384	TextAloudMP3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 3068 wrote to memory of 2888	3068	ta4073.exe	28
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2888 wrote to memory of 2712	2888	NextUpTA4Installer.exe	29
PID 2712 wrote to memory of 2664	2712	NextUpTA4Installer.tmp	30
PID 2712 wrote to memory of 2664	2712	NextUpTA4Installer.tmp	30
PID 2712 wrote to memory of 2664	2712	NextUpTA4Installer.tmp	30
PID 2712 wrote to memory of 2664	2712	NextUpTA4Installer.tmp	30
PID 2712 wrote to memory of 2564	2712	NextUpTA4Installer.tmp	31
PID 2712 wrote to memory of 2564	2712	NextUpTA4Installer.tmp	31
PID 2712 wrote to memory of 2564	2712	NextUpTA4Installer.tmp	31
PID 2712 wrote to memory of 2564	2712	NextUpTA4Installer.tmp	31
PID 2712 wrote to memory of 2668	2712	NextUpTA4Installer.tmp	32
PID 2712 wrote to memory of 2668	2712	NextUpTA4Installer.tmp	32
PID 2712 wrote to memory of 2668	2712	NextUpTA4Installer.tmp	32
PID 2712 wrote to memory of 2668	2712	NextUpTA4Installer.tmp	32
PID 2712 wrote to memory of 2540	2712	NextUpTA4Installer.tmp	33
PID 2712 wrote to memory of 2540	2712	NextUpTA4Installer.tmp	33
PID 2712 wrote to memory of 2540	2712	NextUpTA4Installer.tmp	33
PID 2712 wrote to memory of 2540	2712	NextUpTA4Installer.tmp	33
PID 2712 wrote to memory of 1660	2712	NextUpTA4Installer.tmp	34
PID 2712 wrote to memory of 1660	2712	NextUpTA4Installer.tmp	34
PID 2712 wrote to memory of 1660	2712	NextUpTA4Installer.tmp	34
PID 2712 wrote to memory of 1660	2712	NextUpTA4Installer.tmp	34
PID 2712 wrote to memory of 2976	2712	NextUpTA4Installer.tmp	37
PID 2712 wrote to memory of 2976	2712	NextUpTA4Installer.tmp	37
PID 2712 wrote to memory of 2976	2712	NextUpTA4Installer.tmp	37
PID 2712 wrote to memory of 2976	2712	NextUpTA4Installer.tmp	37
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 696	2712	NextUpTA4Installer.tmp	39
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 2712 wrote to memory of 1860	2712	NextUpTA4Installer.tmp	40
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 1860 wrote to memory of 1792	1860	regsvr32.exe	42
PID 2712 wrote to memory of 1988	2712	NextUpTA4Installer.tmp	43
PID 2712 wrote to memory of 1988	2712	NextUpTA4Installer.tmp	43
PID 2712 wrote to memory of 1988	2712	NextUpTA4Installer.tmp	43
PID 2712 wrote to memory of 1988	2712	NextUpTA4Installer.tmp	43
PID 2712 wrote to memory of 1988	2712	NextUpTA4Installer.tmp	43

C:\Users\Admin\AppData\Local\Temp\ta4073.exe
"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp" /SL5="$80124,24417821,57856,C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
      "C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TForm1 /windowname TextAloud
      4⤵
      Executes dropped EXE
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
      "C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTA3Form /exename TextAloudMP3.exe /msg WM_NEXTUP_CLOSE
      4⤵
      Executes dropped EXE
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
      "C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTA4Form /exename TextAloudMP3.exe
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
      "C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTAForOE /windowname "TAForOE Loader"
      4⤵
      Executes dropped EXE
      PID:2540
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM ieuser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /F /IM textaloudmp3.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForOutlook.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:696
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForOutlook64.dll"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\TextAloud\TAForOutlook64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1792
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForWord.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1988
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForWord64.dll"
      4⤵
      Loads dropped DLL
      PID:1572
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\TextAloud\TAForWord64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1696
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\sapi5audio.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2456
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForIE.dll"
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      PID:1836
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForIE64.dll"
      4⤵
      Loads dropped DLL
      PID:2844
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\TextAloud\TAForIE64.dll"
        5⤵
        Loads dropped DLL
        Modifies Internet Explorer settings
        
        PID:1276
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAContextMenu64.dll"
      4⤵
      Loads dropped DLL
      PID:3068
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\TextAloud\TAContextMenu64.dll"
        5⤵
        Loads dropped DLL
        
        PID:2688
  - - C:\Program Files (x86)\TextAloud\TextAloudMP3.exe
      "C:\Program Files (x86)\TextAloud\TextAloudMP3.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2736
  - - C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe
      "C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe" /install /s /id obcnimnkkpdkbfnnoagjogdollcfnidj /manifest TAChromeManifest.json
      4⤵
      Executes dropped EXE
      PID:484
  - - C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe
      "C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe" /install /s /id {5e1bc830-4746-11e5-b970-0800200c9a66} /manifest TAFirefoxManifest.json
      4⤵
      Executes dropped EXE
      PID:1676
  - - C:\Program Files (x86)\TextAloud\TAForIEBroker.exe
      "C:\Program Files (x86)\TextAloud\TAForIEBroker.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1312
  - - C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization.exe
      "C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization" /register
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1472

C:\Program Files (x86)\TextAloud\TextAloudMP3.exe
"C:\Program Files (x86)\TextAloud\TextAloudMP3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TextAloud\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\TextAloud\TAForIE64.dll

Filesize
3.8MB

MD5
176ea60d33132f891a4a2e32f418459b

SHA1
c0aca45209fac654f381df97f70154ae4697f0a9

SHA256
a2353f8f4f3839f3fa6d903179eeeac70460ad7ba8f9703f0ced2bc21bc86486

SHA512
188976097420247f65106344f937ff1f4367b178eedf1b04e8b14f5774ddbf2d5c489f6eb45906490270fa7bfde4550b64e848e1088194b068c696664f9ab6f5

Download Submit
C:\Program Files (x86)\TextAloud\TAForOutlook.dll

Filesize
4.4MB

MD5
5815766e9878084956ddc0004c0c8186

SHA1
d7302408582a1525cf8696930ed689fc0a0072cb

SHA256
af6e386f3511fc9ca2175c7f5a819d95dd5018b28fa0b6b5c5e2621dee4cc201

SHA512
2eb7de0ff07aa9a5bb9e6e31bb9b2061e325b5d67b6014274d853409ddfb9a6ca9a40acb58d92d72ac4b677d2311da21d03d22a1a23abbacf5624a3dffc8486d

Download Submit
C:\Program Files (x86)\TextAloud\TAForWord.dll

Filesize
4.6MB

MD5
3df36bbf7d80bfc5afbaa66a70f17246

SHA1
dc80b88b68ac4afd87c0e3e18bf0b89c64fd2f0e

SHA256
582169dc436b3d05f0c3cefdb4607dd9aeb6129d6fe3af56260d674c45b18dc5

SHA512
6870d4a400309de653dbebae137c76d72d929abe6887f7870386dcd1d862d74a36adf273ebc50df79db42f0049284f0a944d6c48851277291d641bc8c59dfaf9

Download Submit
C:\Program Files (x86)\TextAloud\TAForWord64.dll

Filesize
7.8MB

MD5
bd9f7dc8bcbb84d8c0f50f67ffbffb95

SHA1
1ada72c428f1ef9fea29e9fad26b5bb61e62ea71

SHA256
2fdd4b807a713a26d45875aa3b7e04d51f28d8f572d9a34c7dd0ead41e378273

SHA512
d0e04a5b9d947cf80fc4ce5665885c5922a02d3049232cbd8f490c7b6f0d85d70d98f15370d4755c61b0a75ecfcf59310bdcfdb3f723f51d8b2a7f100b00e487

Download Submit
C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

Filesize
23.6MB

MD5
b2b3d7a79ce92eea03c5a11a6f3a4c61

SHA1
2c7a1b65fb2f3f3f1710e26434af8cc6ecaa39de

SHA256
5c61e6b04a94a8af724500f062b2615818f3a24eab983977e50484742c7f0f57

SHA512
dea97e4b83128ea4bd4b84e0b5658d5b60b716521aad80927f505c15c16b402f684cd98d994ca96536f9817f2795949a73da4ec977cbf1358912a648be694535

Download Submit
\Program Files (x86)\TextAloud\AudioGenie3.dll

Filesize
538KB

MD5
724d6320fbc6977939c033efc857a7ab

SHA1
05549c3e3b8cf0af330055c639ac55b93c2b5635

SHA256
804c918866de0bf93cfdaea35c3299292c889611b46acf39d80e8f9a7ade0ca2

SHA512
b8ec52a342a3840f4124b134ce3e4be1b00f460b3f3fb96ab5fe4b521f227efaa7b6ea5f83cb6d05e5d8d17374a997067f14f68e442f0e5dd6b8f24f9bbf268c

Download Submit
\Program Files (x86)\TextAloud\Lame_Enc.dll

Filesize
483KB

MD5
563b98d6048e32cde756935f299bbeac

SHA1
333d35ddcc26864e9d0021a85c86df0f09b9ddb7

SHA256
ad5a40e3fa7527e9bad200c02feea3d1e6477bc0c2a6f656fd2d0f8e08b0f3cc

SHA512
06235efba5be45c21013a81231320ba3f9cbbd10c9e1550f8a3c6bdfcb1f3ff6dbb06cd968ac82882fb812eb5566406f7e1f9f8ea8c24366ff5129a356d15488

Download Submit
\Program Files (x86)\TextAloud\TAChromeMsgHost.exe

Filesize
2.3MB

MD5
54f772624a0cc3079fbbacc735b83e3f

SHA1
e985df99aa8233fa0efbd307aa9dea65ee417a54

SHA256
5a2854b04effba1a341f023a84190a022bde187c6f79a8ac0d10e516d1063f08

SHA512
25699a473f4e116619f4e3ffd529f55556852fd24cb492116fd75785dce4fcbd32da3b6a1199df2c5a4ad6d787ad02bdfbdbf0f850f4fee85801f3935a5211e6

Download Submit
\Program Files (x86)\TextAloud\TAContextMenu64.dll

Filesize
3.5MB

MD5
147a28200d7482ea0d4beaad0be03120

SHA1
2cc16e645e7f9cc19751416de9707faa20c3badc

SHA256
b4c7de7d06cf8f92c2c66a3de72d6b40a60cc146fc6370ecab012684831c7022

SHA512
83e4894b5ef7cec4169e34bf43067728ac02d206e5d49d93869e7febdd7dbc09ec12e583ac426fdd66313bc17b887bab8f952c5eb407c2a44ddff0a067369e64

Download Submit
\Program Files (x86)\TextAloud\TAForIE.dll

Filesize
2.4MB

MD5
990e516a6a6b46193c9f15f68bf1102d

SHA1
1e6ccfab46700fd5a55d1069111c1ff9da0bee70

SHA256
42f43d0aa526fbab294e51e3ceecf3e20142ca756a45b2df1f6e3887da47a626

SHA512
d8d994fc81b31693781707cbcb1abc614366e910bebe2d796169a1adaef3578a5520716c25d1857efb9137f8afee09f36e3e6ebec901e0cdec8fab51237dd68a

Download Submit
\Program Files (x86)\TextAloud\TAForIEBroker.exe

Filesize
2.2MB

MD5
45496192bfa412defa64930eea4e9a41

SHA1
2e1095135345911caaded1370a48bdfd4a1511bc

SHA256
dcd1239aa66ecd5f175b0f281bfb4f3d4a591952c1456868cbb6265af0d9cd6c

SHA512
89977617d54bdd258c58364f5d43751a168cf62f9c2e7da79e281eb9b9fc96f28d1424cd78ee4cab533e00c803694cda2dcd9557c1a6a9c1c58973af6620fdae

Download Submit
\Program Files (x86)\TextAloud\TAForOutlook64.dll

Filesize
7.6MB

MD5
cc453170729c388c099b5cb949a4045b

SHA1
19108b21a07dc4a619fbb8c9d1e671b74a3383fd

SHA256
35d8e759b7a1bcf19cecafff715353c8040b39ccaa3c84aa7e330770ed2f28bb

SHA512
dddc63559e276ed8234012e1cda465ef2912fee60416212428d629970809b4bf2b3b60a4eeaa6d1c88caa54840fca5adb019be253f1531f20a77093f5164dde8

Download Submit
\Program Files (x86)\TextAloud\TAMouseHook.dll

Filesize
132KB

MD5
b9beab6c21c278d5126b163b16ab79a4

SHA1
26a1c7e90f8e158c62623acf75454fd425a1dd7f

SHA256
88948623ef301fc87bba61fffb95a4c6f13805df589358bb09c66407b78248d6

SHA512
94eb8af888e1fb3acd2fef5d4b5b3493669a3fc451478b7b50ea2eb2febde32f2a8d2d5369f43c33d12e6476f400e21ce2b94c3ea0a7a725769ca70230da9af9

Download Submit
\Program Files (x86)\TextAloud\TextAloudMP3.exe

Filesize
11.0MB

MD5
3b770c9c698fcf8ff39fb80c2a56d1f6

SHA1
ef7bae8c599b6304fd4dc4cb5ca8e07ee70ecc65

SHA256
4aa41e364a59c3a958386c50ad09fe316e415c4037dc098b9c2d1b97c13d3109

SHA512
8dd55daaaf90f12b49ff0d79e4be893f84b4ce79175a6b87ade8b69432212979881045cf3fc5300fe05a7d445c2adc32d31f66447c79c399191b915606ca47a9

Download Submit
\Program Files (x86)\TextAloud\bass.dll

Filesize
125KB

MD5
c5b3059004e2c7631915ec044f4e6c63

SHA1
dbcdc0aba1d9cf3396ba8ae00bb3671c85047fb2

SHA256
3cd00f456f51829eda119e0e133acc1e45a5930d61fc335a2e9aa688a836a24d

SHA512
3ed914fbfa4ff78fe98ade848e79c3e1e3b66eae83159b45725bf946f2b3cb9d4f805f719901928d9b52c20bc121b0552645fa6aba11ac0fcd5ade672f14f5ee

Download Submit
\Program Files (x86)\TextAloud\bassenc.dll

Filesize
19KB

MD5
397ea39937b51405f34245fe0cda1388

SHA1
4d412bc305dc0757977b6b084aa7046c1b11159b

SHA256
1d2ccc2e25e1b645f63dfe93d191aa9fe1b14fa0296f922ae467766c1c64d633

SHA512
42feef0440530c9102cf476bada02afe1c7ecdb8a14733d11e8a8b40f96cb0eebb20244e8cee9b5c0df51ab60cc7e257e4105437c09a4c1e3bdc0e9d77f50a11

Download Submit
\Program Files (x86)\TextAloud\bassenc_ogg.dll

Filesize
148KB

MD5
0d71a82f3955433ccf1a1edb3a911f30

SHA1
186572f10f77b04e1eb77d5addd092a0d5a59f61

SHA256
dfee8783677d5661c873d1dd3b0fabb5ad6cc7c9638cb9390f728b0a4ac14574

SHA512
8c111fb270a1131cd77665b00d4e544ca62ceb55ed021e01205f028222c9b9731536d8d5af38f636241b823e102aec975bdbca036852a23f8e1e400c09bd04db

Download Submit
\Program Files (x86)\TextAloud\bassmix.dll

Filesize
21KB

MD5
6cbd7a375e98420dc8cc2475b62c895b

SHA1
ff4b3d66f4a8916acf36a7cc6e075dc25d468295

SHA256
704bc9a084989871a567abc638aec57b3c6514ef1e31ceacd0fb347551a7aaf4

SHA512
838895d1ff76bcc743c707c978029431e44433ae5b791891370b5ddb1509951b84d66eac257da7cf0851c73c9c82bdc9523eb99d79afc779c405e361811d480d

Download Submit
\Program Files (x86)\TextAloud\basswma.dll

Filesize
17KB

MD5
d2177355beccfdbc1e7b5c687dfba290

SHA1
0557f3883aa8eabefa6a110a08cf549117fd1901

SHA256
a844247b7cdcac1a5f61c604e4db111b274616c0eb19a70cdfb073c8c2f3b375

SHA512
7e5ce3047e4661969a3827b225f1b88f80bfea221549e37b406da52d1c51f60667340bb1a074f96a516d185979ab5e298fab76bf5789ce7ee34b399fd2bdfa3c

Download Submit
\Program Files (x86)\TextAloud\sapi5audio.dll

Filesize
76KB

MD5
b9fbffdb1193cf78ae28da9ff96b8578

SHA1
44fe33a550d10a663d187f069ea46a3f4ac36142

SHA256
7e089e32c80d0905b5c725c750d9112071095da94f3dda5590aa4cd9f4e07f74

SHA512
2f81f66402371d3e3e3d1e89986abcbd995f5e0746f102f9eb49a9bc9f7fa59557b054ef752b5dbb4c9fbaf02b7863d0bb26f864f1c637904aad37b17e7a42af

Download Submit
\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

Filesize
2.1MB

MD5
7dda15fd2de33dca341419cebb8e6206

SHA1
db0b63317e7a582c5b88bb454c6a12358f52e871

SHA256
7aaff19de5b7d21ee1785c54f46b18744f3518e87ad7a0b309ea87384ff4abe2

SHA512
3516a5bcd2f8dce58d487e090d6211d062633204fa4e9c4404cd6ec8bfa5998b7fc1686ec2ee48dfc8a01e1128c839e01d5e7e9671bab4f3c8333bc0a5fab470

Download Submit
\Users\Admin\AppData\Local\Temp\is-28COU.tmp\InstallerHelper.dll

Filesize
2.1MB

MD5
f79170750b22e2031592fbda6b16b3ca

SHA1
d2e35403ed38111c09d3dbdd166459a954968ff9

SHA256
76e86688b6d2bf3cbfb9bfe6661e9e93b4dd1aefe0c4d843081108648e66c962

SHA512
2086c7197993b2978e3cd30cb0a2fd70e5b1346bb1bd58070bd7360afda605faa36528ed71d3f3486d7bdb4f0c50a8946e329d24ea5f79d5a2572d8dfd2b1d32

Download Submit
\Users\Admin\AppData\Local\Temp\is-28COU.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp

Filesize
708KB

MD5
ae5108fec9e1c3da26674d02ecc76153

SHA1
1ddf0c8de4032a6f649eb2d824ec2c9756806e53

SHA256
1d3e6c985ffb65f507795dc35beab5006121374a1a176d73abe7abf4505f1dfe

SHA512
ca7fae476ada3ab002e4d6826e704dfc0db7899789715fbcf3c9674394855d68b57260899e6fd792b8fc61a9e1fc22b0058335cac38a23c8f725c50d1baf9708

Download Submit
memory/696-267-0x00000000024A0000-0x000000000291A000-memory.dmp

Filesize
4.5MB

Download
memory/1276-289-0x0000000001DD0000-0x00000000021B5000-memory.dmp

Filesize
3.9MB

Download
memory/1696-278-0x0000000001E20000-0x00000000025F9000-memory.dmp

Filesize
7.8MB

Download
memory/1792-271-0x0000000001ED0000-0x0000000002675000-memory.dmp

Filesize
7.6MB

Download
memory/1836-285-0x0000000002240000-0x00000000024A7000-memory.dmp

Filesize
2.4MB

Download
memory/1988-274-0x0000000002250000-0x00000000026ED000-memory.dmp

Filesize
4.6MB

Download
memory/2384-615-0x00000000085A0000-0x0000000008696000-memory.dmp

Filesize
984KB

Download
memory/2384-635-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2384-503-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2384-614-0x00000000085A0000-0x0000000008696000-memory.dmp

Filesize
984KB

Download
memory/2540-57-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2564-47-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2664-42-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2668-52-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2688-293-0x0000000001E20000-0x00000000021B7000-memory.dmp

Filesize
3.6MB

Download
memory/2712-37-0x0000000003870000-0x0000000003A8D000-memory.dmp

Filesize
2.1MB

Download
memory/2712-31-0x0000000003870000-0x0000000003A8D000-memory.dmp

Filesize
2.1MB

Download
memory/2712-30-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2712-33-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2712-26-0x0000000003870000-0x0000000003A8D000-memory.dmp

Filesize
2.1MB

Download
memory/2712-36-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2712-254-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/2736-324-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-332-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2736-350-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2736-345-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2736-352-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2736-344-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2736-329-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2736-459-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-325-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-323-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-322-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-314-0x0000000074210000-0x0000000074267000-memory.dmp

Filesize
348KB

Download
memory/2736-313-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-312-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2736-331-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2736-351-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2736-333-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2736-338-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/2736-339-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/2736-326-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-328-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-327-0x0000000000400000-0x0000000001BA0000-memory.dmp

Filesize
23.6MB

Download
memory/2736-320-0x0000000074160000-0x00000000741FC000-memory.dmp

Filesize
624KB

Download
memory/2736-317-0x00000000742C0000-0x00000000742CD000-memory.dmp

Filesize
52KB

Download
memory/2736-318-0x00000000742B0000-0x00000000742BD000-memory.dmp

Filesize
52KB

Download
memory/2736-319-0x0000000074200000-0x000000007420B000-memory.dmp

Filesize
44KB

Download
memory/2888-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2888-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x0000000000400000-0x0000000001DDB000-memory.dmp

Filesize
25.9MB

Download