Malware Analysis Report

2025-03-15 05:48

Sample ID 240624-algthatcqj
Target ta4073.exe
SHA256 87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8
Tags
aspackv2 discovery persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

87bc71b36b242a954f6dac19f466de0944becce465b37825552c1ba9703a19a8

Threat Level: Shows suspicious behavior

The file ta4073.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 discovery persistence privilege_escalation

ASPack v2.12-2.42

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 00:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 00:17

Reported

2024-06-24 00:20

Platform

win7-20240508-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TextAloud\is-FIC5T.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-TPEE5.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-7EIDC.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-3JH3O.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-CMEBG.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-FFR2M.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-R7AP6.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File opened for modification C:\Program Files (x86)\TextAloud\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-8I2V7.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-OBPMO.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-MVT2M.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-REHMO.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-2N3QV.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-UHNB8.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-F4BIS.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-9AO7K.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-G5MG1.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-T73OI.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-K8EJD.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-SR2TC.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-0MCQM.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-AO549.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-78KBP.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-TR9Q4.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-I2SCG.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-JVBGL.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-ABF1P.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-S5V5M.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-89L50.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-RDH0S.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-OQ4OB.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-RINFV.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-P1IGK.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-F6OAT.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-2MIOJ.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-76FIE.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-5FB24.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-74QTO.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-M8IA0.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-4T4H3.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-VU81D.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-EDTDV.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-AVOVM.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-T0H3U.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-N2O06.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-MSSTJ.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-CP9GO.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-N9U85.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-88A7B.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-D0H73.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-C8OFL.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-FGVVL.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-0E6GK.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-C4Q9O.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-A88B3.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-AHNN9.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-EBM6C.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-UR4OE.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-JUSB9.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\is-4MRHJ.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-1ORCP.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-60CCD.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Sounds\is-1IQPA.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
File created C:\Program Files (x86)\TextAloud\Styles\is-TPCPK.tmp C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{F053C368-5458-45B2-9B4D-D8914BDDDBFF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\Policy = "3" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A} C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\Policy = "3" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppName = "TextAloudMP3.exe" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppPath = "C:\\Program Files (x86)\\TextAloud" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\Policy = "3" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F053C368-5458-45B2-9B4D-D8914BDDDBFF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\AppPath = "C:\\Program Files (x86)\\TextAloud\\" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppName = "TAForIEBroker.exe" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppPath = "C:\\Program Files (x86)\\TextAloud" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F}\AppName = "TextAloudMP3.exe" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppPath = "C:\\Program Files (x86)\\TextAloud" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\Policy = "3" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A}\AppName = "TAForIEBroker.exe" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{AD9CFEA2-F08B-4778-ABF4-B95EB8C9A68F} C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5} C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A534BE1-B41B-4C54-89A7-396AE1306A1A} C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5} C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppName = "TextAloudMP3.exe" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\AppPath = "C:\\Program Files (x86)\\TextAloud" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02F7E2A2-5D3E-4727-A6B4-8E5724DDE6F5}\Policy = "3" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Simpleaudio.SpAudioPlug\ = "SpAudioPlug Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\TypeLib\ = "{2FE9453A-0FF7-4AE7-B607-7924B07F2E9A}" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE57AA69-5C5C-4223-9F22-D85BFF11D870}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForOutlook.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC96622A-3955-499E-9E8E-6BDAA6CCA035} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TAForOutlook.TAOutlookAddin\Clsid C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TAForIEBroker4.TABroker4\Clsid\ = "{53606CF2-ED18-420B-81D4-D22ADF70130C}" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TAForWord.TAForWordCoClass\ = "TAForWordCoClass Object" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\TypeLib\Version = "1.0" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ADB43CA-06D0-48F9-8268-86C81C1FB7B0}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Simpleaudio.SpAudioPlug.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D} C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PocketTextAloud.Application\shell\open\command C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{36c8e589-881d-48b6-a7c1-ca869abae88a}\Control C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A280A098-9193-4AC4-945C-B812D5A9D9F0}\TypeLib C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\TypeLib C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921F5D84-1FC1-4867-A252-B31E97A29139}\ProgID\ = "Sapi5Audio.SpAudioPlug.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526}\4.0\FLAGS\ = "0" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C878866-0A6E-4DD0-8CAB-DE8C31BECF29}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\ = "ITABroadcastEvents" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\TypeLib\ = "{F6883202-8D97-4865-88F2-9392BEEA9526}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForWord.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\TypeLib C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D}\LocalServer32\ = "C:\\Program Files (x86)\\TextAloud\\TextAloudMP3.exe" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC96622A-3955-499E-9E8E-6BDAA6CCA035}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE57AA69-5C5C-4223-9F22-D85BFF11D870}\1.0\0\win32\ = "C:\\Program Files (x86)\\TextAloud\\TAForOutlook64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ADB43CA-06D0-48F9-8268-86C81C1FB7B0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\TypeLib\ = "{A4689098-1715-4EF6-9781-C452319789EA}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526} C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C7D405F-4068-40C1-9F62-F0419199EEBF}\ = "ITABroadcast" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F91DAB-4A3D-4CA3-B695-E25577138B2B}\LocalServer32\ = "C:\\PROGRA~2\\TEXTAL~1\\TEXTAL~1.EXE" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TAForOutlook.TAOutlookAddin\ = "CoTAForOutlook Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4689098-1715-4EF6-9781-C452319789EA}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C}\LocalServer32\ = "C:\\Program Files (x86)\\TextAloud\\TAForIEBroker.exe" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PocketTextAloud.Application\ = "TextAloud Pocket Protocol" C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513}\ProxyStubClsid32 C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\Clsid C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TextAloudIntf_4\Clsid\ = "{8F8FD037-19C8-4142-B0D4-E69406F4913D}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C} C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3F67A7D-3106-46A0-8E6E-91A66EF7E040}\ = "TAForWordCoClass Object" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B252A217-0693-4E2B-A108-0924B78F0D74} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\ C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TextAloud_4.TABroadcast\Clsid\ = "{28F91DAB-4A3D-4CA3-B695-E25577138B2B}" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F8FD037-19C8-4142-B0D4-E69406F4913D}\LocalServer32 C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB920A1A-66FF-45BF-826B-E4A255B967DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53606CF2-ED18-420B-81D4-D22ADF70130C}\Version C:\Program Files (x86)\TextAloud\TAForIEBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91307848-0DA5-44C7-9140-71B88F3CE5D9}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6883202-8D97-4865-88F2-9392BEEA9526}\4.0\HELPDIR\ = "C:\\Program Files (x86)\\TextAloud\\" C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73971CFE-F35F-4D44-A3B3-617F1F92B004}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C7D405F-4068-40C1-9F62-F0419199EEBF}\ProxyStubClsid32 C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2662CA-FF38-49BD-A1CD-8BFDE22F1513} C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A
N/A N/A C:\Program Files (x86)\TextAloud\TextAloudMP3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 3068 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ta4073.exe C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2888 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp
PID 2712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe
PID 2712 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1860 wrote to memory of 1792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2712 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ta4073.exe

"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"

C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

"C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp" /SL5="$80124,24417821,57856,C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

"C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TForm1 /windowname TextAloud

C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

"C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTA3Form /exename TextAloudMP3.exe /msg WM_NEXTUP_CLOSE

C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

"C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTA4Form /exename TextAloudMP3.exe

C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

"C:\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe" /classname TTAForOE /windowname "TAForOE Loader"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ieuser.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM textaloudmp3.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForOutlook.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForOutlook64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\TextAloud\TAForOutlook64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForWord.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForWord64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\TextAloud\TAForWord64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\sapi5audio.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForIE.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAForIE64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\TextAloud\TAForIE64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TextAloud\TAContextMenu64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\TextAloud\TAContextMenu64.dll"

C:\Program Files (x86)\TextAloud\TextAloudMP3.exe

"C:\Program Files (x86)\TextAloud\TextAloudMP3.exe" /regserver

C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe

"C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe" /install /s /id obcnimnkkpdkbfnnoagjogdollcfnidj /manifest TAChromeManifest.json

C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe

"C:\Program Files (x86)\TextAloud\TAChromeMsgHost.exe" /install /s /id {5e1bc830-4746-11e5-b970-0800200c9a66} /manifest TAFirefoxManifest.json

C:\Program Files (x86)\TextAloud\TAForIEBroker.exe

"C:\Program Files (x86)\TextAloud\TAForIEBroker.exe" /regserver

C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization.exe

"C:\Program Files (x86)\TextAloud\TextAloudPocketAuthorization" /register

C:\Program Files (x86)\TextAloud\TextAloudMP3.exe

"C:\Program Files (x86)\TextAloud\TextAloudMP3.exe"

Network

N/A

Files

memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

MD5 b2b3d7a79ce92eea03c5a11a6f3a4c61
SHA1 2c7a1b65fb2f3f3f1710e26434af8cc6ecaa39de
SHA256 5c61e6b04a94a8af724500f062b2615818f3a24eab983977e50484742c7f0f57
SHA512 dea97e4b83128ea4bd4b84e0b5658d5b60b716521aad80927f505c15c16b402f684cd98d994ca96536f9817f2795949a73da4ec977cbf1358912a648be694535

memory/2888-11-0x0000000000400000-0x0000000000415000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-HD3SK.tmp\NextUpTA4Installer.tmp

MD5 ae5108fec9e1c3da26674d02ecc76153
SHA1 1ddf0c8de4032a6f649eb2d824ec2c9756806e53
SHA256 1d3e6c985ffb65f507795dc35beab5006121374a1a176d73abe7abf4505f1dfe
SHA512 ca7fae476ada3ab002e4d6826e704dfc0db7899789715fbcf3c9674394855d68b57260899e6fd792b8fc61a9e1fc22b0058335cac38a23c8f725c50d1baf9708

memory/3068-10-0x0000000000400000-0x0000000001DDB000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-28COU.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

\Users\Admin\AppData\Local\Temp\is-28COU.tmp\InstallerHelper.dll

MD5 f79170750b22e2031592fbda6b16b3ca
SHA1 d2e35403ed38111c09d3dbdd166459a954968ff9
SHA256 76e86688b6d2bf3cbfb9bfe6661e9e93b4dd1aefe0c4d843081108648e66c962
SHA512 2086c7197993b2978e3cd30cb0a2fd70e5b1346bb1bd58070bd7360afda605faa36528ed71d3f3486d7bdb4f0c50a8946e329d24ea5f79d5a2572d8dfd2b1d32

memory/2712-26-0x0000000003870000-0x0000000003A8D000-memory.dmp

memory/2888-29-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2712-30-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2712-31-0x0000000003870000-0x0000000003A8D000-memory.dmp

memory/2712-33-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2712-36-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2712-37-0x0000000003870000-0x0000000003A8D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-28COU.tmp\AppCloser1.exe

MD5 7dda15fd2de33dca341419cebb8e6206
SHA1 db0b63317e7a582c5b88bb454c6a12358f52e871
SHA256 7aaff19de5b7d21ee1785c54f46b18744f3518e87ad7a0b309ea87384ff4abe2
SHA512 3516a5bcd2f8dce58d487e090d6211d062633204fa4e9c4404cd6ec8bfa5998b7fc1686ec2ee48dfc8a01e1128c839e01d5e7e9671bab4f3c8333bc0a5fab470

memory/2664-42-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2564-47-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2668-52-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2540-57-0x0000000000400000-0x000000000062B000-memory.dmp

memory/2712-254-0x0000000004400000-0x0000000004410000-memory.dmp

\Program Files (x86)\TextAloud\TextAloudMP3.exe

MD5 3b770c9c698fcf8ff39fb80c2a56d1f6
SHA1 ef7bae8c599b6304fd4dc4cb5ca8e07ee70ecc65
SHA256 4aa41e364a59c3a958386c50ad09fe316e415c4037dc098b9c2d1b97c13d3109
SHA512 8dd55daaaf90f12b49ff0d79e4be893f84b4ce79175a6b87ade8b69432212979881045cf3fc5300fe05a7d445c2adc32d31f66447c79c399191b915606ca47a9

C:\Program Files (x86)\TextAloud\TAForOutlook.dll

MD5 5815766e9878084956ddc0004c0c8186
SHA1 d7302408582a1525cf8696930ed689fc0a0072cb
SHA256 af6e386f3511fc9ca2175c7f5a819d95dd5018b28fa0b6b5c5e2621dee4cc201
SHA512 2eb7de0ff07aa9a5bb9e6e31bb9b2061e325b5d67b6014274d853409ddfb9a6ca9a40acb58d92d72ac4b677d2311da21d03d22a1a23abbacf5624a3dffc8486d

memory/696-267-0x00000000024A0000-0x000000000291A000-memory.dmp

\Program Files (x86)\TextAloud\TAForOutlook64.dll

MD5 cc453170729c388c099b5cb949a4045b
SHA1 19108b21a07dc4a619fbb8c9d1e671b74a3383fd
SHA256 35d8e759b7a1bcf19cecafff715353c8040b39ccaa3c84aa7e330770ed2f28bb
SHA512 dddc63559e276ed8234012e1cda465ef2912fee60416212428d629970809b4bf2b3b60a4eeaa6d1c88caa54840fca5adb019be253f1531f20a77093f5164dde8

memory/1792-271-0x0000000001ED0000-0x0000000002675000-memory.dmp

C:\Program Files (x86)\TextAloud\TAForWord.dll

MD5 3df36bbf7d80bfc5afbaa66a70f17246
SHA1 dc80b88b68ac4afd87c0e3e18bf0b89c64fd2f0e
SHA256 582169dc436b3d05f0c3cefdb4607dd9aeb6129d6fe3af56260d674c45b18dc5
SHA512 6870d4a400309de653dbebae137c76d72d929abe6887f7870386dcd1d862d74a36adf273ebc50df79db42f0049284f0a944d6c48851277291d641bc8c59dfaf9

memory/1988-274-0x0000000002250000-0x00000000026ED000-memory.dmp

C:\Program Files (x86)\TextAloud\TAForWord64.dll

MD5 bd9f7dc8bcbb84d8c0f50f67ffbffb95
SHA1 1ada72c428f1ef9fea29e9fad26b5bb61e62ea71
SHA256 2fdd4b807a713a26d45875aa3b7e04d51f28d8f572d9a34c7dd0ead41e378273
SHA512 d0e04a5b9d947cf80fc4ce5665885c5922a02d3049232cbd8f490c7b6f0d85d70d98f15370d4755c61b0a75ecfcf59310bdcfdb3f723f51d8b2a7f100b00e487

memory/1696-278-0x0000000001E20000-0x00000000025F9000-memory.dmp

C:\Program Files (x86)\TextAloud\MSVCR120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

memory/1836-285-0x0000000002240000-0x00000000024A7000-memory.dmp

C:\Program Files (x86)\TextAloud\TAForIE64.dll

MD5 176ea60d33132f891a4a2e32f418459b
SHA1 c0aca45209fac654f381df97f70154ae4697f0a9
SHA256 a2353f8f4f3839f3fa6d903179eeeac70460ad7ba8f9703f0ced2bc21bc86486
SHA512 188976097420247f65106344f937ff1f4367b178eedf1b04e8b14f5774ddbf2d5c489f6eb45906490270fa7bfde4550b64e848e1088194b068c696664f9ab6f5

\Program Files (x86)\TextAloud\TAContextMenu64.dll

MD5 147a28200d7482ea0d4beaad0be03120
SHA1 2cc16e645e7f9cc19751416de9707faa20c3badc
SHA256 b4c7de7d06cf8f92c2c66a3de72d6b40a60cc146fc6370ecab012684831c7022
SHA512 83e4894b5ef7cec4169e34bf43067728ac02d206e5d49d93869e7febdd7dbc09ec12e583ac426fdd66313bc17b887bab8f952c5eb407c2a44ddff0a067369e64

\Program Files (x86)\TextAloud\AudioGenie3.dll

MD5 724d6320fbc6977939c033efc857a7ab
SHA1 05549c3e3b8cf0af330055c639ac55b93c2b5635
SHA256 804c918866de0bf93cfdaea35c3299292c889611b46acf39d80e8f9a7ade0ca2
SHA512 b8ec52a342a3840f4124b134ce3e4be1b00f460b3f3fb96ab5fe4b521f227efaa7b6ea5f83cb6d05e5d8d17374a997067f14f68e442f0e5dd6b8f24f9bbf268c

memory/2736-320-0x0000000074160000-0x00000000741FC000-memory.dmp

memory/2736-319-0x0000000074200000-0x000000007420B000-memory.dmp

memory/2736-318-0x00000000742B0000-0x00000000742BD000-memory.dmp

memory/2736-317-0x00000000742C0000-0x00000000742CD000-memory.dmp

memory/2736-324-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-327-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-328-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-326-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-339-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

memory/2736-338-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

memory/2736-333-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2736-332-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2736-331-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2736-352-0x0000000003910000-0x0000000003911000-memory.dmp

memory/2736-351-0x0000000003910000-0x0000000003911000-memory.dmp

memory/2736-350-0x0000000003910000-0x0000000003911000-memory.dmp

memory/2736-345-0x0000000003900000-0x0000000003901000-memory.dmp

\Program Files (x86)\TextAloud\Lame_Enc.dll

MD5 563b98d6048e32cde756935f299bbeac
SHA1 333d35ddcc26864e9d0021a85c86df0f09b9ddb7
SHA256 ad5a40e3fa7527e9bad200c02feea3d1e6477bc0c2a6f656fd2d0f8e08b0f3cc
SHA512 06235efba5be45c21013a81231320ba3f9cbbd10c9e1550f8a3c6bdfcb1f3ff6dbb06cd968ac82882fb812eb5566406f7e1f9f8ea8c24366ff5129a356d15488

memory/2736-344-0x0000000003900000-0x0000000003901000-memory.dmp

memory/2736-329-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2736-459-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-325-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-323-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-322-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-314-0x0000000074210000-0x0000000074267000-memory.dmp

memory/2736-313-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2736-312-0x0000000000230000-0x000000000025B000-memory.dmp

\Program Files (x86)\TextAloud\TAMouseHook.dll

MD5 b9beab6c21c278d5126b163b16ab79a4
SHA1 26a1c7e90f8e158c62623acf75454fd425a1dd7f
SHA256 88948623ef301fc87bba61fffb95a4c6f13805df589358bb09c66407b78248d6
SHA512 94eb8af888e1fb3acd2fef5d4b5b3493669a3fc451478b7b50ea2eb2febde32f2a8d2d5369f43c33d12e6476f400e21ce2b94c3ea0a7a725769ca70230da9af9

\Program Files (x86)\TextAloud\bassenc_ogg.dll

MD5 0d71a82f3955433ccf1a1edb3a911f30
SHA1 186572f10f77b04e1eb77d5addd092a0d5a59f61
SHA256 dfee8783677d5661c873d1dd3b0fabb5ad6cc7c9638cb9390f728b0a4ac14574
SHA512 8c111fb270a1131cd77665b00d4e544ca62ceb55ed021e01205f028222c9b9731536d8d5af38f636241b823e102aec975bdbca036852a23f8e1e400c09bd04db

\Program Files (x86)\TextAloud\basswma.dll

MD5 d2177355beccfdbc1e7b5c687dfba290
SHA1 0557f3883aa8eabefa6a110a08cf549117fd1901
SHA256 a844247b7cdcac1a5f61c604e4db111b274616c0eb19a70cdfb073c8c2f3b375
SHA512 7e5ce3047e4661969a3827b225f1b88f80bfea221549e37b406da52d1c51f60667340bb1a074f96a516d185979ab5e298fab76bf5789ce7ee34b399fd2bdfa3c

\Program Files (x86)\TextAloud\bassenc.dll

MD5 397ea39937b51405f34245fe0cda1388
SHA1 4d412bc305dc0757977b6b084aa7046c1b11159b
SHA256 1d2ccc2e25e1b645f63dfe93d191aa9fe1b14fa0296f922ae467766c1c64d633
SHA512 42feef0440530c9102cf476bada02afe1c7ecdb8a14733d11e8a8b40f96cb0eebb20244e8cee9b5c0df51ab60cc7e257e4105437c09a4c1e3bdc0e9d77f50a11

\Program Files (x86)\TextAloud\bassmix.dll

MD5 6cbd7a375e98420dc8cc2475b62c895b
SHA1 ff4b3d66f4a8916acf36a7cc6e075dc25d468295
SHA256 704bc9a084989871a567abc638aec57b3c6514ef1e31ceacd0fb347551a7aaf4
SHA512 838895d1ff76bcc743c707c978029431e44433ae5b791891370b5ddb1509951b84d66eac257da7cf0851c73c9c82bdc9523eb99d79afc779c405e361811d480d

\Program Files (x86)\TextAloud\bass.dll

MD5 c5b3059004e2c7631915ec044f4e6c63
SHA1 dbcdc0aba1d9cf3396ba8ae00bb3671c85047fb2
SHA256 3cd00f456f51829eda119e0e133acc1e45a5930d61fc335a2e9aa688a836a24d
SHA512 3ed914fbfa4ff78fe98ade848e79c3e1e3b66eae83159b45725bf946f2b3cb9d4f805f719901928d9b52c20bc121b0552645fa6aba11ac0fcd5ade672f14f5ee

memory/2688-293-0x0000000001E20000-0x00000000021B7000-memory.dmp

memory/1276-289-0x0000000001DD0000-0x00000000021B5000-memory.dmp

\Program Files (x86)\TextAloud\TAForIE.dll

MD5 990e516a6a6b46193c9f15f68bf1102d
SHA1 1e6ccfab46700fd5a55d1069111c1ff9da0bee70
SHA256 42f43d0aa526fbab294e51e3ceecf3e20142ca756a45b2df1f6e3887da47a626
SHA512 d8d994fc81b31693781707cbcb1abc614366e910bebe2d796169a1adaef3578a5520716c25d1857efb9137f8afee09f36e3e6ebec901e0cdec8fab51237dd68a

\Program Files (x86)\TextAloud\sapi5audio.dll

MD5 b9fbffdb1193cf78ae28da9ff96b8578
SHA1 44fe33a550d10a663d187f069ea46a3f4ac36142
SHA256 7e089e32c80d0905b5c725c750d9112071095da94f3dda5590aa4cd9f4e07f74
SHA512 2f81f66402371d3e3e3d1e89986abcbd995f5e0746f102f9eb49a9bc9f7fa59557b054ef752b5dbb4c9fbaf02b7863d0bb26f864f1c637904aad37b17e7a42af

\Program Files (x86)\TextAloud\TAChromeMsgHost.exe

MD5 54f772624a0cc3079fbbacc735b83e3f
SHA1 e985df99aa8233fa0efbd307aa9dea65ee417a54
SHA256 5a2854b04effba1a341f023a84190a022bde187c6f79a8ac0d10e516d1063f08
SHA512 25699a473f4e116619f4e3ffd529f55556852fd24cb492116fd75785dce4fcbd32da3b6a1199df2c5a4ad6d787ad02bdfbdbf0f850f4fee85801f3935a5211e6

\Program Files (x86)\TextAloud\TAForIEBroker.exe

MD5 45496192bfa412defa64930eea4e9a41
SHA1 2e1095135345911caaded1370a48bdfd4a1511bc
SHA256 dcd1239aa66ecd5f175b0f281bfb4f3d4a591952c1456868cbb6265af0d9cd6c
SHA512 89977617d54bdd258c58364f5d43751a168cf62f9c2e7da79e281eb9b9fc96f28d1424cd78ee4cab533e00c803694cda2dcd9557c1a6a9c1c58973af6620fdae

memory/2384-503-0x0000000000400000-0x0000000001BA0000-memory.dmp

memory/2384-614-0x00000000085A0000-0x0000000008696000-memory.dmp

memory/2384-615-0x00000000085A0000-0x0000000008696000-memory.dmp

memory/2384-635-0x0000000000400000-0x0000000001BA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 00:17

Reported

2024-06-24 00:20

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ta4073.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ta4073.exe

"C:\Users\Admin\AppData\Local\Temp\ta4073.exe"

C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

"C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp" /SL5="$90054,24417821,57856,C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe"

Network

Files

memory/620-0-0x0000000003A30000-0x0000000003A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TextAloud\NextUpTA4Installer.exe

MD5 b2b3d7a79ce92eea03c5a11a6f3a4c61
SHA1 2c7a1b65fb2f3f3f1710e26434af8cc6ecaa39de
SHA256 5c61e6b04a94a8af724500f062b2615818f3a24eab983977e50484742c7f0f57
SHA512 dea97e4b83128ea4bd4b84e0b5658d5b60b716521aad80927f505c15c16b402f684cd98d994ca96536f9817f2795949a73da4ec977cbf1358912a648be694535

memory/2184-15-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2184-19-0x0000000000401000-0x000000000040C000-memory.dmp

memory/620-14-0x0000000000400000-0x0000000001DDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HI3KV.tmp\NextUpTA4Installer.tmp

MD5 ae5108fec9e1c3da26674d02ecc76153
SHA1 1ddf0c8de4032a6f649eb2d824ec2c9756806e53
SHA256 1d3e6c985ffb65f507795dc35beab5006121374a1a176d73abe7abf4505f1dfe
SHA512 ca7fae476ada3ab002e4d6826e704dfc0db7899789715fbcf3c9674394855d68b57260899e6fd792b8fc61a9e1fc22b0058335cac38a23c8f725c50d1baf9708

memory/3368-22-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G8LCQ.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

C:\Users\Admin\AppData\Local\Temp\is-G8LCQ.tmp\InstallerHelper.dll

MD5 f79170750b22e2031592fbda6b16b3ca
SHA1 d2e35403ed38111c09d3dbdd166459a954968ff9
SHA256 76e86688b6d2bf3cbfb9bfe6661e9e93b4dd1aefe0c4d843081108648e66c962
SHA512 2086c7197993b2978e3cd30cb0a2fd70e5b1346bb1bd58070bd7360afda605faa36528ed71d3f3486d7bdb4f0c50a8946e329d24ea5f79d5a2572d8dfd2b1d32

memory/3368-32-0x0000000003B80000-0x0000000003D9D000-memory.dmp

memory/2184-35-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3368-36-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/3368-37-0x0000000003B80000-0x0000000003D9D000-memory.dmp

memory/3368-43-0x0000000003B80000-0x0000000003D9D000-memory.dmp