Windows Analysis Report
FileOpenInstaller.exe

Overview

General Information

Sample Name: FileOpenInstaller.exe
Analysis ID: 800687
MD5: 599ebd4af31288db879786f49bf9487d
SHA1: ee40630abcb1fe05051c3f832c72c2ee99722c35
SHA256: f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
Infos:

Detection

Score: 17
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Obfuscated command line found
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Drops PE files
PE file contains sections with non-standard names
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
PE file contains executable resources (Code or Archives)
Creates a process in suspended mode (likely to inject code)

Classification

Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\ Jump to behavior
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://www.fileopen.com/0
Source: FileOpenInstaller.exe, 00000001.00000003.917681244.000000000062A000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000002.00000003.916780670.000000000099D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.exe, 00000001.00000003.917681244.000000000062A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/Q
Source: FileOpenInstaller.exe, 00000001.00000003.905803433.00000000022D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.tmp, 00000002.00000003.916780670.000000000099D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/q
Source: FileOpenInstaller.exe, 00000001.00000003.907181765.0000000002410000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000001.00000003.907784834.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000002.00000000.909042225.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://www.innosetup.com/
Source: FileOpenInstaller.exe, 00000001.00000003.907181765.0000000002410000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000001.00000003.907784834.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000002.00000000.909042225.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.1.dr String found in binary or memory: http://www.remobjects.com/ps
Source: FileOpenInstaller.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Sample file is different than original file name gathered from version info
Source: FileOpenInstaller.exe, 00000001.00000003.907784834.000000007EF91000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000001.00000002.918219897.00000000006E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000001.00000003.907181765.00000000024F5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000001.00000000.905438476.0000000000541000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Memory allocated: 77740000 page execute and read and write Jump to behavior
PE file contains executable resources (Code or Archives)
Source: FileOpenInstaller.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File read: C:\Users\user\Desktop\FileOpenInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FileOpenInstaller.exe C:\Users\user\Desktop\FileOpenInstaller.exe
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp" /SL5="$202B6,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp" /SL5="$202B6,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp Jump to behavior
Source: FileOpenInstaller.exe String found in binary or memory: /LOADINF="filename"
Source: classification engine Classification label: clean17.winEXE@3/2@0/0
Source: Window Recorder Window detected: More than 3 window changes detected
Source: FileOpenInstaller.exe Static file information: File size 6831336 > 1048576
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp" /SL5="$202B6,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp" /SL5="$202B6,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
PE file contains sections with non-standard names
Source: FileOpenInstaller.exe Static PE information: section name: .didata
Source: FileOpenInstaller.tmp.1.dr Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File opened: C:\Users\user\ Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-IK3FC.tmp\FileOpenInstaller.tmp" /SL5="$202B6,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 800687 Sample: FileOpenInstaller.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 17 5 FileOpenInstaller.exe 2 2->5         started        file3 11 C:\Users\user\...\FileOpenInstaller.tmp, PE32 5->11 dropped 13 Obfuscated command line found 5->13 9 FileOpenInstaller.tmp 1 5->9         started        signatures4 process5
No contacted IP infos