Windows Analysis Report
FileOpenInstaller.exe

Overview

General Information

Sample Name: FileOpenInstaller.exe
Analysis ID: 800687
MD5: 599ebd4af31288db879786f49bf9487d
SHA1: ee40630abcb1fe05051c3f832c72c2ee99722c35
SHA256: f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
Infos:

Detection

Score: 16
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Obfuscated command line found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Contains functionality to delete services
Contains functionality to query network adapater information

Classification

Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1 Jump to behavior
Source: unknown HTTPS traffic detected: 72.3.136.136:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.3.136.132:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.dat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-NSHSA.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-9KV5A.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples\is-5NKPI.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-JKV7N.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-FC998.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.msg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.4.dr, is-9KV5A.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, FileOpenManager64.exe, 0000000C.00000002.3719999030.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 0000000C.00000000.2731798759.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, is-FC998.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-GV932.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenManager32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1BA0 FindFirstFileExW, 12_2_00007FF600AF1BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF203C FindFirstFileExW,FindNextFileW,FindClose, 12_2_00007FF600AF203C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0BC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0BD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose, 13_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 13_2_00007FF668E01130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 13_2_00007FF668E01470
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0B900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle, 13_2_00007FF668E12880
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0BC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0BD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose, 16_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E011F3 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 16_2_00007FF668E011F3
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E016AB FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 16_2_00007FF668E016AB
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0B900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle, 16_2_00007FF668E12880
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DE13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DE13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815621930.00007FF668FC8000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr String found in binary or memory: http://fileopen.com
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr String found in binary or memory: http://fileopen.com/updates
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD40000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr String found in binary or memory: http://plugin.fileopen.com/.
Source: FileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://plugin.fileopen.com/.n
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: is-GV932.tmp.4.dr String found in binary or memory: http://www.fileopen.com/%s
Source: is-GV932.tmp.4.dr String found in binary or memory: http://www.fileopen.com/%sPlugin
Source: FileOpenInstaller.exe, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.fileopen.com/0
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/0A
Source: FileOpenInstaller.exe, 00000000.00000003.2483235521.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2499714116.0000000003650000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.fileopen.com/request-tech-support/q
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: FileOpenInstaller.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com//&
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675795218&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675795217&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://usr.fileopen.com/
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://usr.fileopen.com/_
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://usr.fileopen.com/check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX
Source: unknown HTTP traffic detected: POST /check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX+9uW5qs0U4Ek= HTTP/1.1Content-type: application/jsonUser-Agent: FileOpen ClientHost: usr.fileopen.comContent-Length: 1043Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: usr.fileopen.com
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E11A20 InternetOpenA,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetQueryDataAvailable,GetLastError,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 13_2_00007FF668E11A20
Source: global traffic HTTP traffic detected: GET /installcomplete.ashx?Request=Setting&Stamp=1675795217&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=JC8RXKWL&Disk=E8LEL4BB&Uuid=dc8a5f3e-a716-11ed-a50d-d05099db2398&PrevMach=&PrevDisk=&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=21.1792&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1160136908&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /installcomplete.ashx?Request=DocPerm&Stamp=1675795218&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=JC8RXKWL&Disk=E8LEL4BB&Uuid=dc8a5f3e-a716-11ed-a50d-d05099db2398&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=21.1792&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1160136908&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 72.3.136.136:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.3.136.132:443 -> 192.168.11.20:49804 version: TLS 1.2
Uses 32bit PE files
Source: FileOpenInstaller.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A768B0 12_2_00007FF600A768B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA1180 12_2_00007FF600AA1180
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A77510 12_2_00007FF600A77510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A87640 12_2_00007FF600A87640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AAA224 12_2_00007FF600AAA224
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC421C 12_2_00007FF600AC421C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADA15C 12_2_00007FF600ADA15C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AFA2DC 12_2_00007FF600AFA2DC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A8E320 12_2_00007FF600A8E320
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF626C 12_2_00007FF600AF626C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF44EC 12_2_00007FF600AF44EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC4484 12_2_00007FF600AC4484
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600B006CC 12_2_00007FF600B006CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AEA720 12_2_00007FF600AEA720
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC4700 12_2_00007FF600AC4700
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF44EC 12_2_00007FF600AF44EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC4968 12_2_00007FF600AC4968
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A7C9A0 12_2_00007FF600A7C9A0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AE6A68 12_2_00007FF600AE6A68
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADEBD8 12_2_00007FF600ADEBD8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADABC8 12_2_00007FF600ADABC8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADECF4 12_2_00007FF600ADECF4
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC4C48 12_2_00007FF600AC4C48
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADEE14 12_2_00007FF600ADEE14
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AD0E04 12_2_00007FF600AD0E04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADEF30 12_2_00007FF600ADEF30
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A8EFE0 12_2_00007FF600A8EFE0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC4F3C 12_2_00007FF600AC4F3C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600B050CC 12_2_00007FF600B050CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADD110 12_2_00007FF600ADD110
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC521C 12_2_00007FF600AC521C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADB18C 12_2_00007FF600ADB18C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AEB2C8 12_2_00007FF600AEB2C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AE528C 12_2_00007FF600AE528C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A8F42F 12_2_00007FF600A8F42F
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A85400 12_2_00007FF600A85400
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AFD384 12_2_00007FF600AFD384
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC54E8 12_2_00007FF600AC54E8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AFB568 12_2_00007FF600AFB568
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC57C8 12_2_00007FF600AC57C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF5AAC 12_2_00007FF600AF5AAC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC3A78 12_2_00007FF600AC3A78
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF7C04 12_2_00007FF600AF7C04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADDB50 12_2_00007FF600ADDB50
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A8DB40 12_2_00007FF600A8DB40
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1BA0 12_2_00007FF600AF1BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC3CFC 12_2_00007FF600AC3CFC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ADE000 12_2_00007FF600ADE000
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AC3F98 12_2_00007FF600AC3F98
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A75F80 12_2_00007FF600A75F80
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD8DE0 13_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0ED98 13_2_00007FF668F0ED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0F02C 13_2_00007FF668F0F02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD8180 13_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0F6A0 13_2_00007FF668E0F6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DE7640 13_2_00007FF668DE7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD7850 13_2_00007FF668DD7850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD5A10 13_2_00007FF668DD5A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668EF9974 13_2_00007FF668EF9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DEDB30 13_2_00007FF668DEDB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F2A95C 13_2_00007FF668F2A95C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E08B10 13_2_00007FF668E08B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E23B10 13_2_00007FF668E23B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F299B4 13_2_00007FF668F299B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E22A7C 13_2_00007FF668E22A7C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E07A70 13_2_00007FF668E07A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0FC40 13_2_00007FF668F0FC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668EEEBEC 13_2_00007FF668EEEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0ECB4 13_2_00007FF668F0ECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E1EBA0 13_2_00007FF668E1EBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F1CB98 13_2_00007FF668F1CB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0AC04 13_2_00007FF668F0AC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E20DF0 13_2_00007FF668E20DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01D50 13_2_00007FF668E01D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F3FD98 13_2_00007FF668F3FD98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E47EC0 13_2_00007FF668E47EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F29DB4 13_2_00007FF668F29DB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E03E90 13_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E1F024 13_2_00007FF668E1F024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E8BFF0 13_2_00007FF668E8BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DEEFD0 13_2_00007FF668DEEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01130 13_2_00007FF668E01130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F1FF98 13_2_00007FF668F1FF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E18220 13_2_00007FF668E18220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F09280 13_2_00007FF668F09280
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E5F1C0 13_2_00007FF668E5F1C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E1F2F6 13_2_00007FF668E1F2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DEE310 13_2_00007FF668DEE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DEF41F 13_2_00007FF668DEF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DE5400 13_2_00007FF668DE5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E074F0 13_2_00007FF668E074F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E094D0 13_2_00007FF668E094D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F333AC 13_2_00007FF668F333AC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0B540 13_2_00007FF668E0B540
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F3D5A4 13_2_00007FF668F3D5A4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E4A820 13_2_00007FF668E4A820
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0D7D0 13_2_00007FF668E0D7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F0ED98 16_2_00007FF668F0ED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F0F02C 16_2_00007FF668F0F02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD8180 16_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0F6A0 16_2_00007FF668E0F6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DE7640 16_2_00007FF668DE7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD5A10 16_2_00007FF668DD5A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668EF9974 16_2_00007FF668EF9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DEDB30 16_2_00007FF668DEDB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E08B10 16_2_00007FF668E08B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F299B4 16_2_00007FF668F299B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E07A70 16_2_00007FF668E07A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F0FC40 16_2_00007FF668F0FC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668EEEBEC 16_2_00007FF668EEEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F0ECB4 16_2_00007FF668F0ECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E1EBA0 16_2_00007FF668E1EBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F1CB98 16_2_00007FF668F1CB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F0AC04 16_2_00007FF668F0AC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD8DE0 16_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E20DF0 16_2_00007FF668E20DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E01D50 16_2_00007FF668E01D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E47EC0 16_2_00007FF668E47EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E03E90 16_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E1F024 16_2_00007FF668E1F024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E8BFF0 16_2_00007FF668E8BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DEEFD0 16_2_00007FF668DEEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F1FF98 16_2_00007FF668F1FF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E18220 16_2_00007FF668E18220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E011F3 16_2_00007FF668E011F3
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E1F2F6 16_2_00007FF668E1F2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DEE310 16_2_00007FF668DEE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DEF41F 16_2_00007FF668DEF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DE5400 16_2_00007FF668DE5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E074F0 16_2_00007FF668E074F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E094D0 16_2_00007FF668E094D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0B540 16_2_00007FF668E0B540
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0D7D0 16_2_00007FF668E0D7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E39860 16_2_00007FF668E39860
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD7850 16_2_00007FF668DD7850
Found potential string decryption / allocating functions
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668DDF490 appears 44 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668DD7FE0 appears 60 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668E003A0 appears 61 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668DDB970 appears 48 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668E5D2E0 appears 40 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: String function: 00007FF668E50CE0 appears 34 times
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: String function: 00007FF600AEC918 appears 48 times
Contains functionality to call native functions
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A768B0 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection, 12_2_00007FF600A768B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A77510 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,FindCloseChangeNotification,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree, 12_2_00007FF600A77510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A77AF0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree, 12_2_00007FF600A77AF0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A75F80 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError, 12_2_00007FF600A75F80
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD8DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree, 13_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD8180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection, 13_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD7850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError, 13_2_00007FF668DD7850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD93C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree, 13_2_00007FF668DD93C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD8180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection, 16_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD8DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree, 16_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD93C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree, 16_2_00007FF668DD93C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD7850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError, 16_2_00007FF668DD7850
Contains functionality to communicate with device drivers
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A8E320: LocalAlloc,CreateFileW,CreateEventW,GetCurrentThreadId,DeviceIoControl,GetLastError,WaitForMultipleObjects,GetOverlappedResult,LocalAlloc,LocalAlloc,OpenProcess,CloseHandle,LocalFree,LocalFree,ResetEvent,CancelIo,CloseHandle,CloseHandle,LocalFree,CloseHandle,EnterCriticalSection,LeaveCriticalSection,LocalFree,LocalFree,SetEvent, 12_2_00007FF600A8E320
PE file contains executable resources (Code or Archives)
Source: FileOpenInstaller.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NSHSA.tmp.4.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-FC998.tmp.4.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Sample file is different than original file name gathered from version info
Source: FileOpenInstaller.exe, 00000000.00000000.2482388575.0000000000541000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002905000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.0000000002448000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FE31000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe Binary or memory string: OriginalFileName vs FileOpenInstaller.exe
PE file contains strange resources
Source: is-FC998.tmp.4.dr Static PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Tries to load missing DLLs
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Section loaded: edgegdi.dll Jump to behavior
Contains functionality to delete services
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A895C0 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,SetLastError,GetLastError,CloseServiceHandle,SetLastError, 12_2_00007FF600A895C0
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File read: C:\Users\user\Desktop\FileOpenInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FileOpenInstaller.exe C:\Users\user\Desktop\FileOpenInstaller.exe
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe C:\Program Files\FileOpen\Services\FileOpenManager64.exe
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: unknown Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A7A260 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification, 12_2_00007FF600A7A260
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668DD6F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification, 13_2_00007FF668DD6F80
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668DD6F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification, 16_2_00007FF668DD6F80
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp Jump to behavior
Source: classification engine Classification label: clean16.winEXE@19/50@2/2
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError, 12_2_00007FF600A89310
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: OpenSCManagerA,GetLastError,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 12_2_00007FF600AA1A60
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError, 13_2_00007FF668DE9300
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError, 16_2_00007FF668DE9300
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %s SET = WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr - Can't sqlite3_step a '%s' row. Result code %d - Err message '%s'.
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdpr - Can't sqlite3_prepare_v2 a '%s' statement. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. query '%s'
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';gdprGDPRfotkLibSqliteSchema.cpp.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %s (,) VALUES ('datetime('now')%u);fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. The Gdpr database must be updated.
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT * FROM sqlite_master;
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';SqliteCookies.cpp:%d. GetSqliteDbCookieContent - SQL '%s' returns error '%s'.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdprState. query '%s'
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.dr Binary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 12_2_00007FF600AA1390
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 12_2_00007FF600AA1390
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA0EE0 CreateToolhelp32Snapshot,CloseHandle,CloseHandle, 12_2_00007FF600AA0EE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Mutant created: \Sessions\1\BaseNamedObjects\Ipc2Cnt$1674Mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen Jump to behavior
Source: FileOpenInstaller.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1 Jump to behavior
Source: FileOpenInstaller.exe Static file information: File size 6831336 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.dat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-NSHSA.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\is-9KV5A.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\examples\is-5NKPI.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-JKV7N.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\Services\is-FC998.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Directory created: C:\Program Files\FileOpen\unins000.msg Jump to behavior
Source: FileOpenInstaller.exe Static PE information: certificate valid
Source: FileOpenInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.4.dr, is-9KV5A.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, FileOpenManager64.exe, 0000000C.00000002.3719999030.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 0000000C.00000000.2731798759.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, is-FC998.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-GV932.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenManager32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" Jump to behavior
PE file contains sections with non-standard names
Source: FileOpenInstaller.exe Static PE information: section name: .didata
Source: FileOpenInstaller.tmp.0.dr Static PE information: section name: .didata
Source: is-NSHSA.tmp.4.dr Static PE information: section name: .didata
Source: is-JKV7N.tmp.4.dr Static PE information: section name: _RDATA
Source: is-FC998.tmp.4.dr Static PE information: section name: _RDATA
Contains functionality to dynamically determine API calls
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A75A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary, 12_2_00007FF600A75A00
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\is-FC998.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\is-JKV7N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\is-NSHSA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\is-9KV5A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\UtilDll.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\UtilDll.dll Jump to dropped file
Source: C:\Users\user\Desktop\FileOpenInstaller.exe File created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA, 12_2_00007FF600AA1390
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBroker Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Users\user\Desktop\FileOpenInstaller.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Program Files\FileOpen\is-9KV5A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe API coverage: 6.5 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe API coverage: 7.7 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe API coverage: 3.5 %
Contains functionality to query network adapater information
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary, 13_2_00007FF668E963D0
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA0FD0 GetSystemInfo, 12_2_00007FF600AA0FD0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF1BA0 FindFirstFileExW, 12_2_00007FF600AF1BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AF203C FindFirstFileExW,FindNextFileW,FindClose, 12_2_00007FF600AF203C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0BC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0BD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose, 13_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 13_2_00007FF668E01130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E01470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 13_2_00007FF668E01470
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 13_2_00007FF668E0B900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle, 13_2_00007FF668E12880
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0BC20
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0BD50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose, 16_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E011F3 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose, 16_2_00007FF668E011F3
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E016AB FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose, 16_2_00007FF668E016AB
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 16_2_00007FF668E0B900
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle, 16_2_00007FF668E12880
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDFA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF600AA66D8
Contains functionality to dynamically determine API calls
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A75A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary, 12_2_00007FF600A75A00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A7E1D0 GetProcessHeap,HeapAlloc, 12_2_00007FF600A7E1D0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA618C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00007FF600AA618C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF600AA66D8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA68C0 SetUnhandledExceptionFilter, 12_2_00007FF600AA68C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600ACDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00007FF600ACDEE4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668E9D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF668E9D990
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F14010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF668F14010
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668E9D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF668E9D990
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 16_2_00007FF668F14010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF668F14010
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A87640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 12_2_00007FF600A87640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A87640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 12_2_00007FF600A87640
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation Jump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Queries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AEC1C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 12_2_00007FF600AF8220
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AEC2EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AEC368
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AF85F0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AF856C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW, 12_2_00007FF600AF86C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 12_2_00007FF600AF8780
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW, 12_2_00007FF600AF89CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_00007FF600AF8B24
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW, 12_2_00007FF600AF8BF8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_00007FF600AF8D24
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: GetLocaleInfoW, 12_2_00007FF600AED2B4
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600B046C0 cpuid 12_2_00007FF600B046C0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600AA6538 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_00007FF600AA6538
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe Code function: 13_2_00007FF668F0ED98 GetTimeZoneInformation, 13_2_00007FF668F0ED98
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exe Code function: 12_2_00007FF600A7A230 GetVersion, 12_2_00007FF600A7A230
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800687 Sample: FileOpenInstaller.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 16 44 usr.fileopen.com 2->44 46 plugin.fileopen.com 2->46 8 FileOpenInstaller.exe 2 2->8         started        12 FileOpenBroker64.exe 2->12         started        14 FileOpenManager64.exe 2->14         started        process3 file4 42 C:\Users\user\...\FileOpenInstaller.tmp, PE32 8->42 dropped 52 Obfuscated command line found 8->52 16 FileOpenInstaller.tmp 26 41 8->16         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->34 dropped 36 C:\Users\user\AppData\Local\...\UtilDll.dll, PE32 16->36 dropped 38 C:\Program Files\...\unins000.exe (copy), PE32 16->38 dropped 40 9 other files (none is malicious) 16->40 dropped 19 FileOpenBroker64.exe 2 19 16->19         started        22 sc.exe 1 16->22         started        24 sc.exe 1 16->24         started        26 2 other processes 16->26 process8 dnsIp9 48 plugin.fileopen.com 72.3.136.132, 443, 49804, 49805 RMH-14US United States 19->48 50 usr.fileopen.com 72.3.136.136, 443, 49803 RMH-14US United States 19->50 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.3.136.136
 usr.fileopen.com United States
33070 RMH-14US false
72.3.136.132
 plugin.fileopen.com United States
33070 RMH-14US false

Contacted Domains

Name IP Active
usr.fileopen.com 72.3.136.136 true
plugin.fileopen.com 72.3.136.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://usr.fileopen.com/check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX+9uW5qs0U4Ek= false
    		high