Windows Analysis Report
FileOpenInstaller.exe

Overview

General Information

Sample Name: FileOpenInstaller.exe
Analysis ID: 800687
MD5: 599ebd4af31288db879786f49bf9487d
SHA1: ee40630abcb1fe05051c3f832c72c2ee99722c35
SHA256: f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
Obfuscated command line found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Contains functionality to delete services
Contains functionality to query network adapater information

Classification

Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1 Jump to behavior
Source: unknown HTTPS traffic detected: 72.3.136.136:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.3.136.132:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.dat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-BU7MM.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-LL3TI.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples\is-SJIP9.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-GL49N.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.msg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenManager64.exe, 00000013.00000002.514318661.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 00000013.00000000.319140001.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, is-GL49N.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-U9E22.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79682203C FindFirstFileExW,FindNextFileW,FindClose, 19_2_00007FF79682203C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821BA0 FindFirstFileExW, 19_2_00007FF796821BA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCBC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCBC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC3E90 FindFirstFileA,FindNextFileA,FindClose, 20_2_00007FF72BDC3E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCBD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCBD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 20_2_00007FF72BDC1470
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 20_2_00007FF72BDC1130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCB900 _invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCB900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDD2880 FindFirstFileA,FindNextFileA,FindClose, 20_2_00007FF72BDD2880
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: svchost.exe, 0000001B.00000003.416793953.000001B6BD5C0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416843127.000001B6BD5B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416894361.000001B6BD5D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z||.||dca447a8-9272-4f5e-9250-ce4486a3bb73||1152921505695842206||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419173690.000001B6BD5C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419263261.000001B6BD5D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-03T11:43:19.0472888Z||.||7dcca039-162e-47c4-97f6-6d568bf58680||1152921505695850834||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419173690.000001B6BD5C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419263261.000001B6BD5D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-03T11:43:19.0472888Z||.||7dcca039-162e-47c4-97f6-6d568bf58680||1152921505695850834||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":110594921,"MaxInstallSizeInBytes":218030080,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.192.647.0_x86__zpdnekdrzrea0","PackageId":"e3ffbaf1-533d-0e62- equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":110594921,"MaxInstallSizeInBytes":218030080,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.192.647.0_x86__zpdnekdrzrea0","PackageId":"e3ffbaf1-533d-0e62- equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.416869450.000001B6BD58F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z||.||dca447a8-9272-4f5e-9250-ce4486a3bb73||1152921505695842206||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.416869450.000001B6BD58F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416831638.000001B6BD5A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z||.||dca447a8-9272-4f5e-9250-ce4486a3bb73||1152921505695842206||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FileOpenBroker64.exe, 00000014.00000003.342051339.0000024DCA2F7000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.431149259.000001B6BD500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000000.323167265.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341623060.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr String found in binary or memory: http://fileopen.com
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr String found in binary or memory: http://fileopen.com/updates
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.340776018.000001B8CBDC0000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr String found in binary or memory: http://plugin.fileopen.com/.
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://plugin.fileopen.com/.z&
Source: svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: is-U9E22.tmp.1.dr String found in binary or memory: http://www.fileopen.com/%s
Source: is-U9E22.tmp.1.dr String found in binary or memory: http://www.fileopen.com/%sPlugin
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.fileopen.com/0
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/Q/3
Source: FileOpenInstaller.exe, 00000000.00000003.249527175.0000000002580000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.255479179.00000000033F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/qM
Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313401443.0000029DADC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal/subscriber-agreement
Source: svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000006.00000002.313430643.0000029DADC65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: FileOpenInstaller.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/E
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675822538&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675822537&Mode=CNR&USR=10007
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000003.312991453.0000029DADC56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000006.00000003.290703561.0000029DADC32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313374724.0000029DADC3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://usr.fileopen.com/
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://usr.fileopen.com/check/usr/aZBj6Q
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.413351324.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413374045.000001B6BD5A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413365349.000001B6BD596000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413397653.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413430330.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413413969.000001B6BDA02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413383708.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown HTTP traffic detected: POST /check/usr/aZBj6Q+rFX1ikU6tKzx6k1ti|QIahCGjsg4RWrsiwFk= HTTP/1.1Content-type: application/jsonUser-Agent: FileOpen ClientHost: usr.fileopen.comContent-Length: 811Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: usr.fileopen.com
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDD1A20 InternetOpenA,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetQueryDataAvailable,GetLastError,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 20_2_00007FF72BDD1A20
Source: global traffic HTTP traffic detected: GET /installcomplete.ashx?Request=Setting&Stamp=1675822537&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=NZGV4LSL&Disk=RVZU7PBB&Uuid=779331e3-a756-11ed-90e8-ecf4bb2d2496&PrevMach=&PrevDisk=&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=19.3072&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1784512375&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installcomplete.ashx?Request=DocPerm&Stamp=1675822538&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=NZGV4LSL&Disk=RVZU7PBB&Uuid=779331e3-a756-11ed-90e8-ecf4bb2d2496&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=19.3072&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1784512375&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 72.3.136.136:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.3.136.132:443 -> 192.168.2.6:49737 version: TLS 1.2
Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967B7640 19_2_00007FF7967B7640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A7510 19_2_00007FF7967A7510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D1180 19_2_00007FF7967D1180
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A68B0 19_2_00007FF7967A68B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F57C8 19_2_00007FF7967F57C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79682B568 19_2_00007FF79682B568
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796801654 19_2_00007FF796801654
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967B5400 19_2_00007FF7967B5400
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79682D384 19_2_00007FF79682D384
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F54E8 19_2_00007FF7967F54E8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967BF42F 19_2_00007FF7967BF42F
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79680B18C 19_2_00007FF79680B18C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79681B2C8 19_2_00007FF79681B2C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F521C 19_2_00007FF7967F521C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79681528C 19_2_00007FF79681528C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F3F98 19_2_00007FF7967F3F98
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79680E000 19_2_00007FF79680E000
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A5F80 19_2_00007FF7967A5F80
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821BA0 19_2_00007FF796821BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796827C04 19_2_00007FF796827C04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967BDB40 19_2_00007FF7967BDB40
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79680DB50 19_2_00007FF79680DB50
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F3CFC 19_2_00007FF7967F3CFC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796825AAC 19_2_00007FF796825AAC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F3A78 19_2_00007FF7967F3A78
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7968244EC 19_2_00007FF7968244EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79681A720 19_2_00007FF79681A720
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7968306CC 19_2_00007FF7968306CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F4700 19_2_00007FF7967F4700
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967BE320 19_2_00007FF7967BE320
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7968244EC 19_2_00007FF7968244EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967F4484 19_2_00007FF7967F4484
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79680A15C 19_2_00007FF79680A15C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECF02C 20_2_00007FF72BECF02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD98DE0 20_2_00007FF72BD98DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECED98 20_2_00007FF72BECED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD98180 20_2_00007FF72BD98180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD97850 20_2_00007FF72BD97850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCF6A0 20_2_00007FF72BDCF6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDA7640 20_2_00007FF72BDA7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECECB4 20_2_00007FF72BECECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECFC40 20_2_00007FF72BECFC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECAC04 20_2_00007FF72BECAC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEAEBEC 20_2_00007FF72BEAEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDDEBA0 20_2_00007FF72BDDEBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEDCB98 20_2_00007FF72BEDCB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDADB30 20_2_00007FF72BDADB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDE3B10 20_2_00007FF72BDE3B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC8B10 20_2_00007FF72BDC8B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDE2A7C 20_2_00007FF72BDE2A7C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC7A70 20_2_00007FF72BDC7A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD95A10 20_2_00007FF72BD95A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEE99B4 20_2_00007FF72BEE99B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEB9974 20_2_00007FF72BEB9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEEA95C 20_2_00007FF72BEEA95C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDDF024 20_2_00007FF72BDDF024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BE4BFF0 20_2_00007FF72BE4BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDAEFD0 20_2_00007FF72BDAEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEDFF98 20_2_00007FF72BEDFF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BE07EC0 20_2_00007FF72BE07EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC3E90 20_2_00007FF72BDC3E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDE0DF0 20_2_00007FF72BDE0DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEE9DB4 20_2_00007FF72BEE9DB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEFFD98 20_2_00007FF72BEFFD98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1D50 20_2_00007FF72BDC1D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC74F0 20_2_00007FF72BDC74F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC94D0 20_2_00007FF72BDC94D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDAF41F 20_2_00007FF72BDAF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDA5400 20_2_00007FF72BDA5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEF33AC 20_2_00007FF72BEF33AC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDAE310 20_2_00007FF72BDAE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDDF2F6 20_2_00007FF72BDDF2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEC9280 20_2_00007FF72BEC9280
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDD8220 20_2_00007FF72BDD8220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BE1F1C0 20_2_00007FF72BE1F1C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1130 20_2_00007FF72BDC1130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BE0A820 20_2_00007FF72BE0A820
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCD7D0 20_2_00007FF72BDCD7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BEFD5A4 20_2_00007FF72BEFD5A4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCB540 20_2_00007FF72BDCB540
Found potential string decryption / allocating functions
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF72BDC03A0 appears 31 times
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: String function: 00007FF79681C918 appears 39 times
Contains functionality to call native functions
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A7510 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,FindCloseChangeNotification,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree, 19_2_00007FF7967A7510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A68B0 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection, 19_2_00007FF7967A68B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A5F80 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError, 19_2_00007FF7967A5F80
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A7AF0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree, 19_2_00007FF7967A7AF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD98DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree, 20_2_00007FF72BD98DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD98180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection, 20_2_00007FF72BD98180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD97850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError, 20_2_00007FF72BD97850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD993C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree, 20_2_00007FF72BD993C0
Contains functionality to communicate with device drivers
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967BD7E0: CreateFileW,LocalAlloc,GetCurrentThreadId,DeviceIoControl,GetLastError,CloseHandle,LocalFree,SetLastError, 19_2_00007FF7967BD7E0
PE file contains executable resources (Code or Archives)
Source: FileOpenInstaller.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BU7MM.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-GL49N.tmp.1.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Sample file is different than original file name gathered from version info
Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000027A5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FE91000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002348000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000000.249251631.0000000000541000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
PE file contains strange resources
Source: is-GL49N.tmp.1.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowscoredeviceinfo.dll Jump to behavior
Contains functionality to delete services
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967B95C0 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,SetLastError,GetLastError,CloseServiceHandle,SetLastError, 19_2_00007FF7967B95C0
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File read: C:\Users\user\Desktop\FileOpenInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FileOpenInstaller.exe C:\Users\user\Desktop\FileOpenInstaller.exe
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe C:\Program Files\FileOpen\Services\FileOpenManager64.exe
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: unknown Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967AA260 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification, 19_2_00007FF7967AA260
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BD96F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification, 20_2_00007FF72BD96F80
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp Jump to behavior
Source: classification engine Classification label: sus26.evad.winEXE@40/98@2/3
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError, 19_2_00007FF7967B9310
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: OpenSCManagerA,GetLastError,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 19_2_00007FF7967D1A60
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError, 20_2_00007FF72BDA9300
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %s SET = WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr - Can't sqlite3_step a '%s' row. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdpr - Can't sqlite3_prepare_v2 a '%s' statement. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';gdprGDPRfotkLibSqliteSchema.cpp.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %s (,) VALUES ('datetime('now')%u);fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. The Gdpr database must be updated.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT * FROM sqlite_master;
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';SqliteCookies.cpp:%d. GetSqliteDbCookieContent - SQL '%s' returns error '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 19_2_00007FF7967D1390
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 19_2_00007FF7967D1390
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC90C0 std::_Xinvalid_argument,CreateToolhelp32Snapshot,CloseHandle,CloseHandle, 20_2_00007FF72BDC90C0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5456:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Mutant created: \Sessions\1\BaseNamedObjects\Ipc2Cnt$18d0Mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen Jump to behavior
Source: FileOpenInstaller.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1 Jump to behavior
Source: FileOpenInstaller.exe Static file information: File size 6831336 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.dat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-BU7MM.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-LL3TI.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples\is-SJIP9.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-GL49N.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.msg Jump to behavior
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenManager64.exe, 00000013.00000002.514318661.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 00000013.00000000.319140001.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, is-GL49N.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-U9E22.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
PE file contains sections with non-standard names
Source: FileOpenInstaller.exe Static PE information: section name: .didata
Source: FileOpenInstaller.tmp.0.dr Static PE information: section name: .didata
Source: is-BU7MM.tmp.1.dr Static PE information: section name: .didata
Source: is-KGJ5A.tmp.1.dr Static PE information: section name: _RDATA
Source: is-GL49N.tmp.1.dr Static PE information: section name: _RDATA
Contains functionality to dynamically determine API calls
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A5A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary, 19_2_00007FF7967A5A00
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\is-BU7MM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\is-GL49N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\UtilDll.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\UtilDll.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\is-LL3TI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 19_2_00007FF7967D1390
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1788 Thread sleep time: -150000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Program Files\FileOpen\is-LL3TI.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe API coverage: 8.6 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe API coverage: 7.8 %
Contains functionality to query network adapater information
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary, 20_2_00007FF72BE563D0
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D0FD0 GetSystemInfo, 19_2_00007FF7967D0FD0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79682203C FindFirstFileExW,FindNextFileW,FindClose, 19_2_00007FF79682203C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF796821BA0 FindFirstFileExW, 19_2_00007FF796821BA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCBC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCBC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC3E90 FindFirstFileA,FindNextFileA,FindClose, 20_2_00007FF72BDC3E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCBD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCBD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 20_2_00007FF72BDC1470
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDC1130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 20_2_00007FF72BDC1130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDCB900 _invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 20_2_00007FF72BDCB900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BDD2880 FindFirstFileA,FindNextFileA,FindClose, 20_2_00007FF72BDD2880
Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware7,1<
Source: svchost.exe, 00000003.00000002.513465683.000002B56F602000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2A1000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430954451.000001B6BCAEB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430712720.000001B6BCA7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430898633.000001B6BCAD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.513706810.000002B56F628000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.513816410.000001F464A29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967FDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FF7967FDEE4
Contains functionality to dynamically determine API calls
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967A5A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary, 19_2_00007FF7967A5A00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967ADD70 GetProcessHeap,HeapFree, 19_2_00007FF7967ADD70
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D5A68 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 19_2_00007FF7967D5A68
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967FDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FF7967FDEE4
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D68C0 SetUnhandledExceptionFilter, 19_2_00007FF7967D68C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967D66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FF7967D66D8
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BE5D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF72BE5D990
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BED4010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FF72BED4010
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967B7640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 19_2_00007FF7967B7640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967B7640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 19_2_00007FF7967B7640
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: try_get_function,GetLocaleInfoW, 19_2_00007FF79681D2B4
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 19_2_00007FF796828780
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 19_2_00007FF7968285F0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 19_2_00007FF79682856C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 19_2_00007FF7968286C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 19_2_00007FF79681C368
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 19_2_00007FF79681C1C8
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7968346C0 cpuid 19_2_00007FF7968346C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF79681D338 try_get_function,GetSystemTimeAsFileTime, 19_2_00007FF79681D338
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 20_2_00007FF72BECF02C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 20_2_00007FF72BECF02C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 19_2_00007FF7967CB820 GetVersion, 19_2_00007FF7967CB820

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000008.00000002.514658058.0000012DB2D54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000A.00000002.513889979.00000214A9902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.513757813.00000214A9829000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .@C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 800687 Sample: FileOpenInstaller.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 26 7 FileOpenInstaller.exe 2 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 3 2->13         started        15 12 other processes 2->15 file3 49 C:\Users\user\...\FileOpenInstaller.tmp, PE32 7->49 dropped 57 Obfuscated command line found 7->57 17 FileOpenInstaller.tmp 26 41 7->17         started        59 Changes security center settings (notifications, updates, antivirus, firewall) 11->59 20 MpCmdRun.exe 1 11->20         started        61 Query firmware table information (likely to detect VMs) 13->61 signatures4 process5 file6 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->41 dropped 43 C:\Users\user\AppData\Local\...\UtilDll.dll, PE32 17->43 dropped 45 C:\Program Files\...\unins000.exe (copy), PE32 17->45 dropped 47 9 other files (none is malicious) 17->47 dropped 22 AcroRd32.exe 15 35 17->22         started        25 FileOpenBroker64.exe 2 19 17->25         started        27 sc.exe 1 17->27         started        31 2 other processes 17->31 29 conhost.exe 20->29         started        process7 dnsIp8 51 192.168.2.1 unknown unknown 22->51 33 RdrCEF.exe 70 22->33         started        53 plugin.fileopen.com 72.3.136.132, 443, 49737, 49738 RMH-14US United States 25->53 55 usr.fileopen.com 72.3.136.136, 443, 49736 RMH-14US United States 25->55 35 conhost.exe 27->35         started        37 conhost.exe 31->37         started        39 conhost.exe 31->39         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.3.136.136
 usr.fileopen.com United States
33070 RMH-14US false
72.3.136.132
 plugin.fileopen.com United States
33070 RMH-14US false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
usr.fileopen.com 72.3.136.136 true
plugin.fileopen.com 72.3.136.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://usr.fileopen.com/check/usr/aZBj6Q+rFX1ikU6tKzx6k1ti|QIahCGjsg4RWrsiwFk= false
    		high