Malware Analysis Report

2024-09-09 18:07

Sample ID 240618-sh3wnsyerb
Target TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe
SHA256 16de1c80ce70584212fde77a2f9149bddeb8a266820e74c34f0d8303c14609f8
Tags
discovery persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

16de1c80ce70584212fde77a2f9149bddeb8a266820e74c34f0d8303c14609f8

Threat Level: Shows suspicious behavior

The file TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:08

Reported

2024-06-18 15:11

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\W3DClient = "\"C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe\"" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593} C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppName = "W3DClient.exe" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open\command C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ProgID\ = "TixeoOutlookAddin.coTixeoOutlookAddin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\Clsid\ = "{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\TypeLib\ = "{DD7C8A60-77B9-4441-8898-F10682EDE59C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TixeoOutlookAddin.coTixeoOutlookAddin\ = "coTixeoOutlookAddin Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\ = "URL:Tixeo Communication protocol" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\URL Protocol C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\w3d\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe %1" C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\ = "coTixeoOutlookAddin Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{49A05F6A-AB62-41F8-87CB-63AFA90AFE28}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TIXEOS~1\\COMMUN~1\\Client\\TIXEOO~2.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 2944 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
PID 2944 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
PID 2944 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
PID 2944 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 288 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 644 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe

"C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp" /SL5="$50150,84175752,57856,C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe

"C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"

C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp" /SL5="$301E8,7983214,57856,C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dll"

Network

N/A

Files

memory/2868-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2868-2-0x0000000000401000-0x000000000040C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-V8OUU.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp

MD5 c570d17bf317dfaa28d6107e30a5c33a
SHA1 b965d8ea6a247c93bec868860e5e49d51f3aa41a
SHA256 531b0231439389ed1ea9dc8ea307b355a9adf04c73b899bd5f7685ee75c7aa92
SHA512 88e234ecfe54b5d5241bf9ad440298db5c85994fcb68021f3e8684be6db0b6ee848299e2c92ba0eefe4306eb6318e13034344f1de8153a0b56a9b50577e66b20

memory/2944-8-0x0000000000400000-0x00000000004BE000-memory.dmp

\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe

MD5 309fdd8e3e467bd507d0b0047d095046
SHA1 3429b3f7dd3e5bf3d8f5ef9e3486f6a3d54240f6
SHA256 bfc2a6195ecfc6dfb5f8f7626e3ae4f0199a292032fbf083714c7e039f4d404b
SHA512 59c71d95638364ac7fb80c7da98c165e4df137022ad8743454e979d9b19d91fa1d00b25eae53adf7e33b3f97c567f0c1918403e162d8157006011d1b50581798

C:\Users\Admin\AppData\Local\Temp\is-2LUFQ.tmp\TixeoOutlookPlugin.exe

MD5 9851bec28a2fe7c81888c11562c420f1
SHA1 64ae84d1fc0a4bad2a255d7fb9f93027deb9adf0
SHA256 2e38fc9fe4d22c07e3f759654775aa3d549ad403e1b5289d0e07b151b2fde89f
SHA512 84aa3d817cc566ed397c37577d94d692e3636bfaadac77e4ba20bcff031ad8f62b3d01a0f94271e0552325e8cf5408791c43aae02a82bf3a7e05db6b17366c56

memory/288-159-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FRQ43.tmp\TixeoOutlookPlugin.tmp

MD5 53267ddd5af9cadba53d9fc842430305
SHA1 cdc08fe9629cd54c047022921d56c8dae897adea
SHA256 36317779901eff781f19af2e538b712af6128ae3479ecc6c51d23063a94a4e93
SHA512 ca182900b7135663ce39235fb22bf4a1a6e284f0f87b6053e7305f0a3e43d447b38c8808f1a61df4d7eb69f858b9d488e540bc2f12a6b06d18743d036cd99fb9

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\unins000.dat

MD5 28bc1157520b0771b22d7667ab73cc97
SHA1 2430447191c8ccdb1d892fbfbd337d4961e13447
SHA256 bc01eddec272f067c37016c25f8615d2404c3aca5a6fe163dad4499d3e53b7ab
SHA512 1f40c80240f42d8f1d3d9957724966060dee39a4d2963c076a362b419d7e8c0fc7a40a837be157b6720b0195913db0fc6eca295285dff8059be192ff95230112

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.dll

MD5 06c21c84c98d10f08a45bb2cf7ea1660
SHA1 cfe491396f8caa2d2375d9564d47919ef4526c5c
SHA256 0e31c9925fafd5aeb4e4e0e992fcb895b3098afc1e77c25ac875d4365124c7c5
SHA512 e570557c2971627dbdad469ec6aa29490fb38255b872a564494f13d01a602e6419e91f367dbea47314f4056e765fd9225741dfcc43319af9d76ea9661ad34475

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

memory/2868-191-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2944-192-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/288-193-0x0000000000400000-0x0000000000415000-memory.dmp

memory/644-194-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/1920-195-0x0000000072DC0000-0x0000000073993000-memory.dmp

memory/2944-202-0x0000000000400000-0x00000000004BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:08

Reported

2024-06-18 15:11

Platform

win10v2004-20240508-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W3DClient = "\"C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe\"" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W3DClient = "\"C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe\" /StartHidden" C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593} C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593} C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA9F442A-C8E1-11DC-8404-C59755D89593}\AppName = "W3DClient.exe" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\ = "URL:Tixeo Communication protocol" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\URL Protocol C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\shell\Open\command C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\shell C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\shell\Open C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\w3d\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Tixeo Soft\\Communication\\Client\\W3DClient.exe %1" C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PromotedIconCache = "{D150BBDA-898C-4A21-B22C-BDED425EA9F3},{7820NR83-23R3-4229-82P1-R41PO67Q5O9P},{7820NR82-23R3-4229-82P1-R41PO67Q5O9P},{7820NR81-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 4592 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 4592 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp
PID 4020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe
PID 4020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe
PID 4020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe
PID 2864 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp
PID 2864 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp
PID 2864 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp
PID 4020 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe
PID 4020 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe

"C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp" /SL5="$120070,84175752,57856,C:\Users\Admin\AppData\Local\Temp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.exe"

C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe

"C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"

C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp" /SL5="$B005A,7983214,57856,C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe" /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /LOG="C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixeoOutlookPlugin.log"

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe

"C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe" w3d%3A%2F%2Ftixeocloud.sec.orange%2Fmeet%2F

Network

Files

memory/4592-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4592-2-0x0000000000401000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VQ4NG.tmp\TixeoClientW3D_dzNkJTNBJTJGJTJGdGl4ZW9jbG91ZC5zZWMub3JhbmdlJTJGbWVldCUyRg_custom.tmp

MD5 c570d17bf317dfaa28d6107e30a5c33a
SHA1 b965d8ea6a247c93bec868860e5e49d51f3aa41a
SHA256 531b0231439389ed1ea9dc8ea307b355a9adf04c73b899bd5f7685ee75c7aa92
SHA512 88e234ecfe54b5d5241bf9ad440298db5c85994fcb68021f3e8684be6db0b6ee848299e2c92ba0eefe4306eb6318e13034344f1de8153a0b56a9b50577e66b20

memory/4020-6-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\W3DClient.exe

MD5 309fdd8e3e467bd507d0b0047d095046
SHA1 3429b3f7dd3e5bf3d8f5ef9e3486f6a3d54240f6
SHA256 bfc2a6195ecfc6dfb5f8f7626e3ae4f0199a292032fbf083714c7e039f4d404b
SHA512 59c71d95638364ac7fb80c7da98c165e4df137022ad8743454e979d9b19d91fa1d00b25eae53adf7e33b3f97c567f0c1918403e162d8157006011d1b50581798

C:\Users\Admin\AppData\Local\Temp\is-EH9J7.tmp\TixeoOutlookPlugin.exe

MD5 9851bec28a2fe7c81888c11562c420f1
SHA1 64ae84d1fc0a4bad2a255d7fb9f93027deb9adf0
SHA256 2e38fc9fe4d22c07e3f759654775aa3d549ad403e1b5289d0e07b151b2fde89f
SHA512 84aa3d817cc566ed397c37577d94d692e3636bfaadac77e4ba20bcff031ad8f62b3d01a0f94271e0552325e8cf5408791c43aae02a82bf3a7e05db6b17366c56

memory/2864-156-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2864-153-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AOOBA.tmp\TixeoOutlookPlugin.tmp

MD5 53267ddd5af9cadba53d9fc842430305
SHA1 cdc08fe9629cd54c047022921d56c8dae897adea
SHA256 36317779901eff781f19af2e538b712af6128ae3479ecc6c51d23063a94a4e93
SHA512 ca182900b7135663ce39235fb22bf4a1a6e284f0f87b6053e7305f0a3e43d447b38c8808f1a61df4d7eb69f858b9d488e540bc2f12a6b06d18743d036cd99fb9

memory/1556-163-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/1556-165-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2864-168-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\tixeo_quic.x64.dll

MD5 a4a1e90fe200c9d615d26784e3b71c41
SHA1 d942e9c7186f350ebb460a0d75b5bb96ffbc31b9
SHA256 3b4d909c511e5e06df0d802332d6088470d39e8c46325655453660e4a70cc0c9
SHA512 12a3e5e2ffd5b9a259caa2c8462b639f6223eb9db853bb3f7bd0e0217f9ff938b81560f054ea2e3245a4da89a7f9275d84aa0b24f5396e5cabc59105edbf4422

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\VCRUNTIME140.dll

MD5 297ed3dc0a70d18831c404207f0bbeec
SHA1 7bb96f36fbb4a45a4b0ac3d6006f2a7c3ed7586a
SHA256 3129efefe22c6b1ca3975b5f336a66c6595ca01d2aac024d16456cb3a855af28
SHA512 196dd8262eaf81ea637a278b94f9a173798a7ee5e96b6adcb95733080134be99f1d9ee81911af585a708e18418ffbf6c89e8d6b77313f6776b19241f1b3a5d7f

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\VCRUNTIME140_1.dll

MD5 cd01126ceef33fc1ccaf080eb2456b0a
SHA1 9315febfd7253d348628c8a5ad61cddf1b758d8b
SHA256 fc05184048aa5a21541a7156ad2b3b0d636f7276a5085d64cca34d6df2fc6fce
SHA512 ddeeb996fc0febd9b247789b14bf652580398f2abe2eace9db5b638763e88c05715e57e6d90110ef2dbcdb0d3d824647acd487a222be965edaf5b011c219796d

memory/4020-181-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\WebView2Loader_x64.dll

MD5 17a22b6d75259d43a66bb876f17b29ee
SHA1 fa0ab5df1a100d2395d5bc18cbb0e2a10b6823af
SHA256 b8eed761e68d1d28c5c7621b4ac31bdc4ab2edb2395b84bf7b03c9e7b35c0908
SHA512 5b9d1220fe6cf4497e046136c0491c64bf978caac8ae42a29dd1b0b3e47138039eac813601ccd569f9847c2b6c8f3e24dd6a2b68a9fb488277c3c9f4e082864d

memory/4592-184-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\sk4d.dll

MD5 9cc8f7e6b2760a85341dfe7b68e7685a
SHA1 23417d72e84cca2e73a1c2ae6f55f514d0481db7
SHA256 0ff39c2b830ee8aa185b3e65ea54adb40781219455f2c375d68b80407ed8e7d2
SHA512 502ac71f1e4e6f5148db634f94a4c2dada5b99a0558b12b2c1af06ad68113dfe8b1eb8021529b35158f0e7777229a8f8863abf81b9de09b14124649588b07193

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixVoiceEngine64.dll

MD5 059fa1187ff9eed92b5e69c127da5460
SHA1 189456807b6d6c8a9fcea974235ba217890c5a66
SHA256 14d5d785e4bb572f944529b4a7041897670a929669d86d2175cf371c88339072
SHA512 fcc94c2c31bd9e81ef8ec392677751a8a31581749e01f4891c18cb96e68566586d60ffcfec8a2f2a8d9e377ebf4a415cdb6bc652950a5b4b717e993c8d8b87bd

C:\Users\Admin\AppData\Local\tixeoclient\config.ini

MD5 0ac1d5f17cf8576e1bd1c59431d37526
SHA1 5a14550518db0d44ac8e74159df250571a2ce64f
SHA256 37274b024e77fc60a18239b3a2c57086f7292ad8b83acff8f46b5f18e0ff4bfa
SHA512 738c20a8db12c76d34ec909878a969e028569008cbcdcc8531e130e693c111d5110f5ca7e6c4d9b0bb9ac8c85718f904a168d95d1deb8b480c4fe5e3008df14b

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\libssl-3-x64.dll

MD5 4b18d47218662e4cd80318d2b7ed8d74
SHA1 25e7825b5d66069ef40f7164d1e53c5e16e96efb
SHA256 48fb7e228ecaa8cee0589360fa2e9d7fd0109e99096df333cf212fcc681853c1
SHA512 6c309a03c987d8dfc356760ef320071848fde54926f35f440ddc434b43f03da8c1e8002d3821e4ae9ecf0d0f7636d67d95287fccbf38a5e98ccd64e54a4085a7

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\TixVideoCapture64.dll

MD5 5cd4a9fda43b696e906d45a49932de6c
SHA1 ead765c10c6ada15366fca80bd812096b6c70f3f
SHA256 1408ae76d5851596db247f5ba48270eba8719fc8945c76523dd99c2007402143
SHA512 f2ef3e7844b072a553ef828098f7422d9e73acc9425be84d04bae1550df22fa6ce80fc24061b739222899fa85d9d056600ce4be7c6031c5597b7fc45121cb861

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\libcrypto-3-x64.dll

MD5 60226f4d749f39412f4c6a31a80f9312
SHA1 fa337d0cb02f1797c7bb8d069a1b06629cdfc7f9
SHA256 80bdb06d9670d5ab1bef3db438c77ced55ff6f659cb6599b82ca7c18b0960dd7
SHA512 0d73dbfbdb7d4c932471cc32d30f41d309eb2e6b8737a3a2059ec62eab4138a79f3ecc85fcdd672e0fbfd805cf17e30fa90c27ce254018b4e4ef054f9e392da6

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\FMXStyle\Tixeo.style

MD5 f566675c424ef5c970db95bdc1122544
SHA1 023d850f042237aa5e0e52f54ceb6394854d51ba
SHA256 add992778228969e6a5e6cb0d37e900ef4b687a3dd711d1ad329272a9c4f9acb
SHA512 98846c90bc2ce5af9d50e4571bcd41233cca225beda63aa7fdbbc6c642ff50cf71584a0d645baaa5e8849377de551950f40ca797b4b43aa360d2f2841ac93644

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\logo_connection.png

MD5 a301240dd556b69dbe96a3548f1549d9
SHA1 8c14c8cff1318718d15f4499a4266b0576c0f739
SHA256 0be2fc885c46a87989f3983bdfa4818ca1c9572585f024ef683dd5f4fd9d9f20
SHA512 22e8140145c1ec7e5260649ffbc6beff66585787881cc00c32cd27032c18d6b186a77d31798413b13d54f1ae32be1062c6755d93fce56ca1ff81af1c46dcefb8

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\logo.png

MD5 2969fe9eb4c6849f5b82f6e1341064b2
SHA1 941020826c9812987a037e963eec8f903358f508
SHA256 815bb4dbd19256de95f2ea72409bccecda3b66608a5df4f7c341b950a002c8cd
SHA512 9ff36b49cd594ae4020e31a2784942d26accdd073c968be72a862a4b70961a466d0cd37d2a6cd200c0bbb7d42730bca967adbdba74289d4425cb769561b9a31d

C:\Users\Admin\AppData\Local\Tixeo Soft\Communication\Client\Res\W3DClient.ico

MD5 b1ac0ba9a872c5c8d3cd98da8cf2610c
SHA1 ebca489f77d10f19646f09b272ff4b8f5c0250b0
SHA256 e1baaedd65026ba814c3d1130ac1822f5b0401ec1087eb9806d6eaeb9d065227
SHA512 f1a0c465f28fe0dc1da40008578afb133dee8307e69da6e77f3ec2cb0c53a7d1a2ef94fd44bac5f045e4ee7d4dbaa6d1657fb53b56e168b1452e079faaf8ce15

memory/3180-204-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-205-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-206-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-207-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-208-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-210-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-212-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-216-0x00000000002A0000-0x00000000028C2000-memory.dmp

memory/3180-217-0x00000000002A0000-0x00000000028C2000-memory.dmp