Edit tour

Windows Analysis Report
FileOpenInstaller.exe

Overview

General Information

Sample Name:	FileOpenInstaller.exe
Analysis ID:	800687
MD5:	599ebd4af31288db879786f49bf9487d
SHA1:	ee40630abcb1fe05051c3f832c72c2ee99722c35
SHA256:	f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

Obfuscated command line found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Found evasive API chain checking for process token information

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Contains functionality to delete services

Contains functionality to query network adapater information

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is a service DLL but no service has been registered

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

FileOpenInstaller.exe (PID: 4844 cmdline: C:\Users\user\Desktop\FileOpenInstaller.exe MD5: 599EBD4AF31288DB879786F49BF9487D)

FileOpenInstaller.tmp (PID: 2380 cmdline: "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" MD5: B7988AC379CEAA456BAA3EF19EB55263)

sc.exe (PID: 6164 cmdline: "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6208 cmdline: "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6256 cmdline: "C:\Windows\system32\sc.exe" start FileOpenManager MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

FileOpenBroker64.exe (PID: 6352 cmdline: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe MD5: DE1A88EBE38A4EB36E2C88B1A69A0251)

AcroRd32.exe (PID: 6416 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)

RdrCEF.exe (PID: 6624 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)

svchost.exe (PID: 5916 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4072 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4808 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2840 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4608 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2376 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 4384 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5444 cmdline: c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3672 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5340 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 5372 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

FileOpenManager64.exe (PID: 6300 cmdline: C:\Program Files\FileOpen\Services\FileOpenManager64.exe MD5: 2ACE6BC0F8B1752879AD54D4EA1938D9)

FileOpenBroker64.exe (PID: 6576 cmdline: "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe" MD5: DE1A88EBE38A4EB36E2C88B1A69A0251)

svchost.exe (PID: 6232 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: FileOpenInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1

Jump to behavior

Source: unknown	HTTPS traffic detected: 72.3.136.136:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.3.136.132:443 -> 192.168.2.6:49737 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\is-BU7MM.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\is-LL3TI.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\examples	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\examples\is-SJIP9.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services\is-GL49N.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\unins000.msg	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt

Jump to behavior

Source: FileOpenInstaller.exe

Static PE information: certificate valid

Source: FileOpenInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenManager64.exe, 00000013.00000002.514318661.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 00000013.00000000.319140001.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, is-GL49N.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-U9E22.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79682203C FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821BA0 FindFirstFileExW,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCBC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC3E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCBD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCB900 _invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDD2880 FindFirstFileA,FindNextFileA,FindClose,

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: svchost.exe, 0000001B.00000003.416793953.000001B6BD5C0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416843127.000001B6BD5B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416894361.000001B6BD5D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z\|\|.\|\|dca447a8-9272-4f5e-9250-ce4486a3bb73\|\|1152921505695842206\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419173690.000001B6BD5C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419263261.000001B6BD5D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-03T11:43:19.0472888Z\|\|.\|\|7dcca039-162e-47c4-97f6-6d568bf58680\|\|1152921505695850834\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419173690.000001B6BD5C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.419263261.000001B6BD5D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-03T11:43:19.0472888Z\|\|.\|\|7dcca039-162e-47c4-97f6-6d568bf58680\|\|1152921505695850834\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":110594921,"MaxInstallSizeInBytes":218030080,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.192.647.0_x86__zpdnekdrzrea0","PackageId":"e3ffbaf1-533d-0e62- equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.419278204.000001B6BD591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \r\nLike us on Facebook: http://www.facebook.com/spotify\r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":110594921,"MaxInstallSizeInBytes":218030080,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.192.647.0_x86__zpdnekdrzrea0","PackageId":"e3ffbaf1-533d-0e62- equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.416869450.000001B6BD58F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z\|\|.\|\|dca447a8-9272-4f5e-9250-ce4486a3bb73\|\|1152921505695842206\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000001B.00000003.416869450.000001B6BD58F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.416831638.000001B6BD5A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-02-01T09:34:07.3081511Z\|\|.\|\|dca447a8-9272-4f5e-9250-ce4486a3bb73\|\|1152921505695842206\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-02-01T09:32:59.6774288Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FileOpenBroker64.exe, 00000014.00000003.342051339.0000024DCA2F7000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.431149259.000001B6BD500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000000.323167265.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341623060.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	String found in binary or memory: http://fileopen.com
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	String found in binary or memory: http://fileopen.com/updates
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.340776018.000001B8CBDC0000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	String found in binary or memory: http://plugin.fileopen.com/.
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://plugin.fileopen.com/.z&
Source: svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: FileOpenInstaller.exe, is-KGJ5A.tmp.1.dr, FileOpenInstaller.tmp.0.dr, is-GL49N.tmp.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: is-U9E22.tmp.1.dr	String found in binary or memory: http://www.fileopen.com/%s
Source: is-U9E22.tmp.1.dr	String found in binary or memory: http://www.fileopen.com/%sPlugin
Source: FileOpenInstaller.exe, FileOpenInstaller.tmp.0.dr	String found in binary or memory: http://www.fileopen.com/0
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fileopen.com/request-tech-support/Q/3
Source: FileOpenInstaller.exe, 00000000.00000003.249527175.0000000002580000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.255479179.00000000033F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fileopen.com/request-tech-support/qM
Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313401443.0000029DADC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal/subscriber-agreement
Source: svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000006.00000002.313430643.0000029DADC65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: FileOpenInstaller.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plugin.fileopen.com/
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plugin.fileopen.com/E
Source: FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675822538&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675822537&Mode=CNR&USR=10007
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000003.312991453.0000029DADC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000006.00000003.290703561.0000029DADC32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313374724.0000029DADC3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://usr.fileopen.com/
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://usr.fileopen.com/check/usr/aZBj6Q
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.413351324.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413374045.000001B6BD5A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413365349.000001B6BD596000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413397653.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413430330.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413413969.000001B6BDA02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413383708.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

HTTP traffic detected: POST /check/usr/aZBj6Q+rFX1ikU6tKzx6k1ti|QIahCGjsg4RWrsiwFk= HTTP/1.1Content-type: application/jsonUser-Agent: FileOpen ClientHost: usr.fileopen.comContent-Length: 811Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: usr.fileopen.com

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe

Code function: 20_2_00007FF72BDD1A20 InternetOpenA,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetQueryDataAvailable,GetLastError,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /installcomplete.ashx?Request=Setting&Stamp=1675822537&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=NZGV4LSL&Disk=RVZU7PBB&Uuid=779331e3-a756-11ed-90e8-ecf4bb2d2496&PrevMach=&PrevDisk=&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=19.3072&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1784512375&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /installcomplete.ashx?Request=DocPerm&Stamp=1675822538&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=NZGV4LSL&Disk=RVZU7PBB&Uuid=779331e3-a756-11ed-90e8-ecf4bb2d2496&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=19.3072&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1784512375&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 72.3.136.136:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.3.136.132:443 -> 192.168.2.6:49737 version: TLS 1.2

Source: FileOpenInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967B7640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A7510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967D1180
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A68B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F57C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79682B568
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796801654
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967B5400
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79682D384
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F54E8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967BF42F
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79680B18C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79681B2C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F521C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79681528C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F3F98
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79680E000
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A5F80
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796827C04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967BDB40
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79680DB50
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F3CFC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796825AAC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F3A78
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7968244EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79681A720
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7968306CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F4700
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967BE320
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7968244EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967F4484
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79680A15C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BECF02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD98DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BECED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD98180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD97850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCF6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDA7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BECECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BECFC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BECAC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEAEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDDEBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEDCB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDADB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDE3B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC8B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDE2A7C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC7A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD95A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEE99B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEB9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEEA95C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDDF024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BE4BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDAEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEDFF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BE07EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC3E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDE0DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEE9DB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEFFD98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC74F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC94D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDAF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDA5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEF33AC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDAE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDDF2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEC9280
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDD8220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BE1F1C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BE0A820
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCD7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BEFD5A4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCB540

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: String function: 00007FF72BDC03A0 appears 31 times
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: String function: 00007FF79681C918 appears 39 times

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A7510 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,FindCloseChangeNotification,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A68B0 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A5F80 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967A7AF0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD98DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD98180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD97850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD993C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967BD7E0: CreateFileW,LocalAlloc,GetCurrentThreadId,DeviceIoControl,GetLastError,CloseHandle,LocalFree,SetLastError,

Source: FileOpenInstaller.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BU7MM.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-GL49N.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary

Source: FileOpenInstaller.exe, 00000000.00000003.249970577.00000000027A5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FE91000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002348000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000000.249251631.0000000000541000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe	Binary or memory string: OriginalFileName vs FileOpenInstaller.exe

Source: is-GL49N.tmp.1.dr

Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967B95C0 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,SetLastError,GetLastError,CloseServiceHandle,SetLastError,

Source: C:\Users\user\Desktop\FileOpenInstaller.exe

File read: C:\Users\user\Desktop\FileOpenInstaller.exe

Jump to behavior

Source: C:\Users\user\Desktop\FileOpenInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\FileOpenInstaller.exe C:\Users\user\Desktop\FileOpenInstaller.exe
Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe C:\Program Files\FileOpen\Services\FileOpenManager64.exe
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: unknown	Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967AA260 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BD96F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification,

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\FileOpenInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp

Jump to behavior

Source: classification engine

Classification label: sus26.evad.winEXE@40/98@2/3

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: OpenSCManagerA,GetLastError,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError,

Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET = WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr - Can't sqlite3_step a '%s' row. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdpr - Can't sqlite3_prepare_v2 a '%s' statement. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';gdprGDPRfotkLibSqliteSchema.cpp.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (,) VALUES ('datetime('now')%u);fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. The Gdpr database must be updated.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM sqlite_master;
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';SqliteCookies.cpp:%d. GetSqliteDbCookieContent - SQL '%s' returns error '%s'.
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,

Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe

Code function: 20_2_00007FF72BDC90C0 std::_Xinvalid_argument,CreateToolhelp32Snapshot,CloseHandle,CloseHandle,

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5456:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ipc2Cnt$18d0Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

File created: C:\Program Files\FileOpen

Jump to behavior

Source: FileOpenInstaller.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Window found: window name: TMainForm

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1

Jump to behavior

Source: FileOpenInstaller.exe

Static file information: File size 6831336 > 1048576

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\is-BU7MM.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\is-LL3TI.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\examples	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\examples\is-SJIP9.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\Services\is-GL49N.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Directory created: C:\Program Files\FileOpen\unins000.msg	Jump to behavior

Source: FileOpenInstaller.exe

Static PE information: certificate valid

Source: FileOpenInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenManager64.exe, 00000013.00000002.514318661.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 00000013.00000000.319140001.00007FF796837000.00000002.00000001.01000000.00000009.sdmp, is-GL49N.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-U9E22.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr
Source:	Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"

Source: FileOpenInstaller.exe	Static PE information: section name: .didata
Source: FileOpenInstaller.tmp.0.dr	Static PE information: section name: .didata
Source: is-BU7MM.tmp.1.dr	Static PE information: section name: .didata
Source: is-KGJ5A.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-GL49N.tmp.1.dr	Static PE information: section name: _RDATA

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967A5A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\is-BU7MM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\Services\is-GL49N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\UtilDll.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\FileOpenInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\Services\is-KGJ5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\UtilDll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	File created: C:\Program Files\FileOpen\is-LL3TI.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt

Jump to behavior

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967D1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto

Source: C:\Users\user\Desktop\FileOpenInstaller.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\System32\svchost.exe TID: 1788

Thread sleep time: -150000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	Dropped PE file which has not been started: C:\Program Files\FileOpen\is-LL3TI.tmp	Jump to dropped file

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	API coverage: 8.6 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	API coverage: 7.8 %

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp

Process information queried: ProcessInformation

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967D0FD0 GetSystemInfo,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821440 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF79682203C FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF796821BA0 FindFirstFileExW,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCBC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC3E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCBD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDC1130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDCB900 _invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BDD2880 FindFirstFileA,FindNextFileA,FindClose,

Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1<
Source: svchost.exe, 00000003.00000002.513465683.000002B56F602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2A1000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430954451.000001B6BCAEB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430712720.000001B6BCA7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.430898633.000001B6BCAD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.513706810.000002B56F628000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.513816410.000001F464A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967FDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967A5A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967ADD70 GetProcessHeap,HeapFree,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967D5A68 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967FDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967D68C0 SetUnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: 19_2_00007FF7967D66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BE5D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Code function: 20_2_00007FF72BED4010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967B7640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe	Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: try_get_function,GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe	Code function: EnumSystemLocalesW,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7968346C0 cpuid

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF79681D338 try_get_function,GetSystemTimeAsFileTime,

Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe

Code function: 20_2_00007FF72BECF02C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe

Code function: 19_2_00007FF7967CB820 GetVersion,

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000008.00000002.514658058.0000012DB2D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000A.00000002.513889979.00000214A9902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.513757813.00000214A9829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.514706322.0000012DB2DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .@C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	16 Windows Service	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	16 Windows Service	1 Obfuscated Files or Information	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	13 Service Execution	Logon Script (Mac)	1 Process Injection	1 DLL Side-Loading	NTDS	151 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	3 Masquerading	LSA Secrets	12 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FileOpenInstaller.exe	0%	ReversingLabs
FileOpenInstaller.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)	2%	ReversingLabs
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp	2%	ReversingLabs
C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)	0%	ReversingLabs
C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)	0%	ReversingLabs
C:\Program Files\FileOpen\Services\is-GL49N.tmp	0%	ReversingLabs
C:\Program Files\FileOpen\Services\is-KGJ5A.tmp	0%	ReversingLabs
C:\Program Files\FileOpen\UtilDll.dll (copy)	0%	ReversingLabs
C:\Program Files\FileOpen\is-BU7MM.tmp	0%	ReversingLabs
C:\Program Files\FileOpen\is-LL3TI.tmp	0%	ReversingLabs
C:\Program Files\FileOpen\unins000.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\UtilDll.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IORDB.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://help.disneyplus.com	0%	Virustotal		Browse
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://disneyplus.com/legal/subscriber-agreement	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://help.disneyplus.com	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
usr.fileopen.com	72.3.136.136	true	false		high
plugin.fileopen.com	72.3.136.132	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://usr.fileopen.com/check/usr/aZBj6Q+rFX1ikU6tKzx6k1ti\|QIahCGjsg4RWrsiwFk=	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	FileOpenInstaller.exe	false		high
https://disneyplus.com/legal/subscriber-agreement	svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
http://plugin.fileopen.com/.	FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.340776018.000001B8CBDC0000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://plugin.fileopen.com/E	FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
http://plugin.fileopen.com/.z&	FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA23C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313401443.0000029DADC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://usr.fileopen.com/check/usr/aZBj6Q	FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA272000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675822537&Mode=CNR&USR=10007	FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fileopen.com/updates	FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000014.00000002.514802671.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000014.00000000.321969420.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341394742.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000000.339698525.00007FF72BF0B000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000006.00000003.313036808.0000029DADC41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/	FileOpenInstaller.exe, 00000000.00000003.249527175.0000000002580000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.255479179.00000000033F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://help.disneyplus.com	svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fileopen.com/0	FileOpenInstaller.exe, FileOpenInstaller.tmp.0.dr	false		high
http://www.bingmapsportal.com	svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fileopen.com/request-tech-support/Q/3	FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp	false		high
https://plugin.fileopen.com/	FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.innosetup.com/	FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr	false	URL Reputation: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000006.00000003.312991453.0000029DADC56000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fileopen.com/request-tech-support/qM	FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001B.00000003.413351324.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413374045.000001B6BD5A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413365349.000001B6BD596000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413397653.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413430330.000001B6BD585000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413413969.000001B6BDA02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.413383708.000001B6BDA18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000006.00000002.313394059.0000029DADC3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313352938.0000029DADC13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000006.00000003.312477211.0000029DADC47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313409269.0000029DADC4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000006.00000003.312972855.0000029DADC40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://usr.fileopen.com/	FileOpenBroker64.exe, 00000014.00000002.513758365.0000024DCA2A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001B.00000003.411594025.000001B6BD59A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411629471.000001B6BD577000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411738099.000001B6BD5A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.411694374.000001B6BD588000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675822538&Mode=CNR&USR=10007	FileOpenBroker64.exe, 00000014.00000002.514485574.0000024DCC030000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fileopen.com/request-tech-support/	FileOpenInstaller.exe, 00000000.00000003.339885366.0000000002331000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.335133861.0000000000D14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000006.00000002.313430643.0000029DADC65000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fileopen.com	FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003855000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.00000000039FE000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000003.330327512.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, FileOpenBroker64.exe, 00000014.00000000.323167265.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000016.00000002.341623060.00007FF72BF88000.00000002.00000001.01000000.0000000A.sdmp, is-KGJ5A.tmp.1.dr, is-U9E22.tmp.1.dr	false		high
http://www.fileopen.com/%sPlugin	is-U9E22.tmp.1.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000006.00000003.290703561.0000029DADC32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.313374724.0000029DADC3B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.remobjects.com/ps	FileOpenInstaller.exe, 00000000.00000003.249970577.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.250333831.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000001.00000000.252856251.0000000000401000.00000020.00000001.01000000.00000004.sdmp, FileOpenInstaller.tmp.0.dr	false	URL Reputation: safe	unknown
https://activity.windows.com	svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000006.00000003.312665346.0000029DADC61000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fileopen.com/%s	is-U9E22.tmp.1.dr	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000004.00000002.513825993.0000023F6823E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000006.00000002.313417322.0000029DADC5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000006.00000003.312883589.0000029DADC5A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
72.3.136.136	usr.fileopen.com	United States		33070	RMH-14US	false
72.3.136.132	plugin.fileopen.com	United States		33070	RMH-14US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800687
Start date and time:	2023-02-07 18:13:58 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	FileOpenInstaller.exe
Detection:	SUS
Classification:	sus26.evad.winEXE@40/98@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 81.8%) Quality average: 61.9% Quality standard deviation: 38.1%
HCA Information:	Successful, ratio: 71% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.4.250, 2.21.22.179, 2.21.22.155, 20.82.228.9, 20.82.154.241
Excluded domains from analysis (whitelisted): fs.microsoft.com, eudb.ris.api.iris.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, arc.msn.com, acroipm2.adobe.com, neus1c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, ris.api.iris.microsoft.com, ssl.adobe.com.edgekey.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, armmf.adobe.com, a122.dscd.akamai.net, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:15:28	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run FileOpenBroker "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
18:15:39	API Interceptor	1x Sleep call for process: RdrCEF.exe modified
18:16:10	API Interceptor	8x Sleep call for process: svchost.exe modified
18:16:16	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2241536
Entropy (8bit):	6.648410638768628
Encrypted:	false
SSDEEP:	49152:BusBOEuaRuJCN0900HR88Pix+oiDMpyQmdVqyWy9vSL6TzjolA:BuswEuaRzN090MRnP/fqyWyBS
MD5:	319DDB9C9900DD2BDFE2AF7009BF3A83
SHA1:	B5F8BB5055F944DFBC38720BC30C2747F2989116
SHA-256:	491673ED8FB7AFCF76204DD82079B365F4CD03EBC31452A40D45AA0F952038A5
SHA-512:	DFBBFCF35F39195C326AE7CA2B36224C460B4231AFA042562CE0DA0664316A5068A3BD7544937B53C6167412041DF7D0DB14612FFD11540D097998B52F060E1A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............................................................................1....................}.......}.......}.......}.y.............}.......Rich....................PE..L......b...........!.........r................................................*.......................................................).......................).0.......T...............................@...............\|............................text............................... ..`.rdata..............................@..@.data............L..................@....rsrc.........)...... !.............@..@.reloc..0.....)......2!.............@..B................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
Category:	dropped
Size (bytes):	2494
Entropy (8bit):	5.228565864551621
Encrypted:	false
SSDEEP:	48:cAn/TLt0J/pXA1JVp/BJVIaSkC9+TON9Bs:pTLt0ZRA1QHksds
MD5:	D88760796BE364BC76C0A7470D9C3DD1
SHA1:	20C810DA01C5F8900ED15BFA7EB17E53A56A9519
SHA-256:	6CFF8173CE17D0D04EA758BCD349510AF229FAFE4871C8AA3117911F46553C35
SHA-512:	48168F46C4E48EDD9C9DE56C63174B83B2DA79E81728487CD2F8368341B3FA83BCCE718CFAF8472463A8F9B3864AA2D52B126987FAD18AE4C0044238F123DB5F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399998126404364</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399998126560620</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399998126404364</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051636774803094</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

Process:	C:\Users\user\Desktop\FileOpenInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3119936
Entropy (8bit):	6.073128166324036
Encrypted:	false
SSDEEP:	49152:IR/KpmZubPf2S8W2ILeWl+C1p9jWy5Mnd0wigbLNDH:O/jtYLP1Sy5i0qH
MD5:	B7988AC379CEAA456BAA3EF19EB55263
SHA1:	15C13A91E64739C76FF48E20C5BB4182AAD94339
SHA-256:	69383793D354F2A95D88F610B0559F321F37C97197554CD1E9D6D30B038C352D
SHA-512:	22D4544911F496B22AF502869CBDFBC371617A418EB8010319D1842A862F84CA2CA23F1BE505C5F03BD404CB2EE5E489B1FE86B3047356ACE3965F5494AA9FA6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@..........................`0.....5./...@......@....................'.......&..5...0'.\|+...........z/.@!................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc...\|+...0'..,...N&.............@..@............. (......:'.............@..@........................................................

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.171024618297729
Encrypted:	false
SSDEEP:	192:cY+38+DJ5+inJg3+igJU+LY+XY+ntn+E5L+MQ+7:j+s+j+j3+12+0+I+9+C+b+7
MD5:	B3867667FD78121A3D480FAF35FE791D
SHA1:	DE8F33E392F49195542F3DB2FC023119072AFE3E
SHA-256:	0262501B23D931D43A30D35F9C84F3DF1A22346B6BC06057071E9D4862DED206
SHA-512:	757AAB98CC6DAC521051519AD7BFF9968B428A079CCDDAA31BDC6C5976BAC1BB4E91378C67C072DD4E5C28C20DEE5D981CF43B8221EB989551BBF6F407E783BD
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E6D1B8D [Sat Mar 14 17:59:41 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Signature Valid:	true
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/1/2021 4:00:00 PM 3/1/2023 3:59:59 PM
Subject Chain	CN=FileOpen Systems Inc., O=FileOpen Systems Inc., L=Santa Cruz, S=California, C=US, SERIALNUMBER=5070649, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	672CE4183DD35C3C4E6ABD4CAF549C09
Thumbprint SHA-1:	42E58D6C0DCC7076DDEB6E71534CB1F0913CD6C9
Thumbprint SHA-256:	BB460A91449CA5F96957CE80966CF8CC861F26A2FAA340DD81D50A41B9885AE8
Serial:	0FDAD5722CB13F7F2013A1CA98D144FE

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x88578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x681ba8	0x2140
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb3604	0xb3800	False	0.34484761272632314	data	6.354329115342966	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1684	0x1800	False	0.5445963541666666	data	5.970901565517897	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36104910714285715	data	5.0421620677813435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6da0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x88578	0x88600	False	0.05596571379468378	data	3.1574910512692473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc7798	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	English	United States
RT_ICON	0x1097c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States
RT_ICON	0x119fe8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States
RT_ICON	0x123490	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States
RT_ICON	0x1276b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0x129c60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0x12ad08	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States
RT_ICON	0x12b690	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_ICON	0x12baf8	0x12428	Device independent bitmap graphic, 256 x 512 x 8, image size 65536	English	United States
RT_ICON	0x13df20	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384	English	United States
RT_ICON	0x142b48	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216	English	United States
RT_ICON	0x1457f0	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096	English	United States
RT_ICON	0x146e18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x147cc0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x148568	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576	English	United States
RT_ICON	0x148c30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x149198	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	English	United States
RT_ICON	0x14ba00	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States
RT_ICON	0x14c468	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States
RT_STRING	0x14c650	0x360	data
RT_STRING	0x14c9b0	0x260	data
RT_STRING	0x14cc10	0x45c	data
RT_STRING	0x14d06c	0x40c	data
RT_STRING	0x14d478	0x2d4	data
RT_STRING	0x14d74c	0xb8	data
RT_STRING	0x14d804	0x9c	data
RT_STRING	0x14d8a0	0x374	data
RT_STRING	0x14dc14	0x398	data
RT_STRING	0x14dfac	0x368	data
RT_STRING	0x14e314	0x2a4	data
RT_RCDATA	0x14e5b8	0x10	data
RT_RCDATA	0x14e5c8	0x2c4	data
RT_RCDATA	0x14e88c	0x2c	data
RT_GROUP_ICON	0x14e8b8	0x110	data	English	United States
RT_VERSION	0x14e9c8	0x584	data	English	United States
RT_MANIFEST	0x14ef4c	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454058
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:15:36.625793934 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:36.625869989 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:36.625977993 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:36.656014919 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:36.656064987 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.085699081 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.085906982 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:37.603049040 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:37.603085041 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.603477955 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.603568077 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:37.611975908 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:37.612005949 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.612051010 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:37.612057924 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.998322010 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.998418093 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:37.998506069 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:38.004544973 CET	49736	443	192.168.2.6	72.3.136.136
Feb 7, 2023 18:15:38.004566908 CET	443	49736	72.3.136.136	192.168.2.6
Feb 7, 2023 18:15:38.144870043 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.144923925 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.144996881 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.145864964 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.145890951 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.576445103 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.576692104 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.581419945 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.581469059 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.581862926 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.582032919 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.582719088 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.582740068 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.723304033 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.723397970 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.723464966 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.723464966 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.726723909 CET	49737	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.726803064 CET	443	49737	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.851418972 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.851485014 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:38.851602077 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.852103949 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:38.852133036 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.132622004 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.135246992 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:39.148889065 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:39.148916960 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.152877092 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:39.152893066 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.449879885 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.450017929 CET	443	49738	72.3.136.132	192.168.2.6
Feb 7, 2023 18:15:39.450186968 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:39.504117012 CET	49738	443	192.168.2.6	72.3.136.132
Feb 7, 2023 18:15:39.504168987 CET	443	49738	72.3.136.132	192.168.2.6

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:15:36.576718092 CET	59082	53	192.168.2.6	8.8.8.8
Feb 7, 2023 18:15:36.613837004 CET	53	59082	8.8.8.8	192.168.2.6
Feb 7, 2023 18:15:38.121723890 CET	59504	53	192.168.2.6	8.8.8.8
Feb 7, 2023 18:15:38.141752958 CET	53	59504	8.8.8.8	192.168.2.6

Target ID:	0
Start time:	18:14:55
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\FileOpenInstaller.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\FileOpenInstaller.exe
Imagebase:	0x400000
File size:	6831336 bytes
MD5 hash:	599EBD4AF31288DB879786F49BF9487D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Target ID:	1
Start time:	18:14:56
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-0FUR6.tmp\FileOpenInstaller.tmp" /SL5="$10404,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Imagebase:	0x400000
File size:	3119936 bytes
MD5 hash:	B7988AC379CEAA456BAA3EF19EB55263
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Target ID:	2
Start time:	18:14:57
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	18:15:11
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	18:15:13
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	18:15:14
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	8
Start time:	18:15:15
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	12
Start time:	18:15:24
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FileOpenInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-U9E22.tmp

C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)

C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)

C:\Program Files\FileOpen\Services\is-GL49N.tmp

C:\Program Files\FileOpen\Services\is-KGJ5A.tmp

C:\Program Files\FileOpen\UtilDll.dll (copy)

C:\Program Files\FileOpen\examples\installcomplete.pdf (copy)

C:\Program Files\FileOpen\examples\is-SJIP9.tmp

C:\Program Files\FileOpen\is-BU7MM.tmp

C:\Program Files\FileOpen\is-LL3TI.tmp

C:\Program Files\FileOpen\unins000.dat

C:\Program Files\FileOpen\unins000.exe (copy)

C:\Program Files\FileOpen\unins000.msg

C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd (copy)

C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd (copy)

C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd (copy)

C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd (copy)

C:\ProgramData\FileOpen\Updates\L10n\is-EBO4V.tmp

Windows Analysis Report
FileOpenInstaller.exe

Target ID:	13
Start time:	18:15:26
Start date:	07/02/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Imagebase:	0x7ff732c00000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	18:15:27
Start date:	07/02/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Imagebase:	0x7ff732c00000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	21
Start time:	18:15:32
Start date:	07/02/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Imagebase:	0xaa0000
File size:	2571312 bytes
MD5 hash:	B969CF0C7B2C443A99034881E8C8740A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	22
Start time:	18:15:37
Start date:	07/02/2023
Path:	C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
Imagebase:	0x7ff72bd90000
File size:	2089968 bytes
MD5 hash:	DE1A88EBE38A4EB36E2C88B1A69A0251
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	23
Start time:	18:15:38
Start date:	07/02/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x1370000
File size:	9475120 bytes
MD5 hash:	9AEBA3BACD721484391D15478A4080C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	24
Start time:	18:15:54
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	27
Start time:	18:16:04
Start date:	07/02/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre