Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FileOpenInstaller.exe

Overview

General Information

Sample Name:FileOpenInstaller.exe
Analysis ID:800687
MD5:599ebd4af31288db879786f49bf9487d
SHA1:ee40630abcb1fe05051c3f832c72c2ee99722c35
SHA256:f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
Infos:

Detection

Score:16
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Obfuscated command line found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Contains functionality to delete services
Contains functionality to query network adapater information

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is a service DLL but no service has been registered
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64native
  • FileOpenInstaller.exe (PID: 3304 cmdline: C:\Users\user\Desktop\FileOpenInstaller.exe MD5: 599EBD4AF31288DB879786F49BF9487D)
    • FileOpenInstaller.tmp (PID: 6536 cmdline: "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" MD5: B7988AC379CEAA456BAA3EF19EB55263)
      • sc.exe (PID: 4948 cmdline: "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • sc.exe (PID: 3296 cmdline: "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • sc.exe (PID: 2492 cmdline: "C:\Windows\system32\sc.exe" start FileOpenManager MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • FileOpenBroker64.exe (PID: 5748 cmdline: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe MD5: DE1A88EBE38A4EB36E2C88B1A69A0251)
      • AcroRd32.exe (PID: 7032 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf MD5: 6791EAE6124B58F201B32F1F6C3EC1B0)
  • FileOpenManager64.exe (PID: 5084 cmdline: C:\Program Files\FileOpen\Services\FileOpenManager64.exe MD5: 2ACE6BC0F8B1752879AD54D4EA1938D9)
  • FileOpenBroker64.exe (PID: 5344 cmdline: "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe" MD5: DE1A88EBE38A4EB36E2C88B1A69A0251)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: FileOpenInstaller.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1Jump to behavior
Source: unknownHTTPS traffic detected: 72.3.136.136:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknownHTTPS traffic detected: 72.3.136.132:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpenJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\is-NSHSA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\is-9KV5A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\examplesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\examples\is-5NKPI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\ServicesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\Services\is-JKV7N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\Services\is-FC998.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txtJump to behavior
Source: FileOpenInstaller.exeStatic PE information: certificate valid
Source: FileOpenInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.4.dr, is-9KV5A.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, FileOpenManager64.exe, 0000000C.00000002.3719999030.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 0000000C.00000000.2731798759.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, is-FC998.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-GV932.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenManager32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1BA0 FindFirstFileExW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF203C FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E011F3 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E016AB FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle,
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815621930.00007FF668FC8000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drString found in binary or memory: http://fileopen.com
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drString found in binary or memory: http://fileopen.com/updates
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0H
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD40000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drString found in binary or memory: http://plugin.fileopen.com/.
Source: FileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plugin.fileopen.com/.n
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: FileOpenInstaller.exe, is-FC998.tmp.4.dr, is-JKV7N.tmp.4.dr, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: is-GV932.tmp.4.drString found in binary or memory: http://www.fileopen.com/%s
Source: is-GV932.tmp.4.drString found in binary or memory: http://www.fileopen.com/%sPlugin
Source: FileOpenInstaller.exe, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://www.fileopen.com/0
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.fileopen.com/request-tech-support/0A
Source: FileOpenInstaller.exe, 00000000.00000003.2483235521.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2499714116.0000000003650000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/
Source: FileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.fileopen.com/request-tech-support/q
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: FileOpenInstaller.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plugin.fileopen.com/
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plugin.fileopen.com//&
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675795218&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675795217&Mode=CNR&USR=10007
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://usr.fileopen.com/
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://usr.fileopen.com/_
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://usr.fileopen.com/check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX
Source: unknownHTTP traffic detected: POST /check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX+9uW5qs0U4Ek= HTTP/1.1Content-type: application/jsonUser-Agent: FileOpen ClientHost: usr.fileopen.comContent-Length: 1043Connection: Keep-AliveCache-Control: no-cache
Source: unknownDNS traffic detected: queries for: usr.fileopen.com
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E11A20 InternetOpenA,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetQueryDataAvailable,GetLastError,InternetReadFile,InternetCloseHandle,InternetCloseHandle,
Source: global trafficHTTP traffic detected: GET /installcomplete.ashx?Request=Setting&Stamp=1675795217&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=JC8RXKWL&Disk=E8LEL4BB&Uuid=dc8a5f3e-a716-11ed-a50d-d05099db2398&PrevMach=&PrevDisk=&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=21.1792&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1160136908&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /installcomplete.ashx?Request=DocPerm&Stamp=1675795218&Mode=CNR&USR=10007&ServiceID=InstallComplete&DocumentID=D-700&Ident3ID=number3&Ident4ID=number4&DocStrFmt=ASCII&PageCount=0&AdobePermanentId=fe2312a4b89fd64a94044c8c74baef85&AdobeInstanceId=7653cfff47f8504296a48ee78cc73a7d&OSType=Windows&Language=ENU&LngLCID=ENU&LngRFC1766=en&LngISO4Char=en-us&HostAppClass=FileOpen%20Plug-in&HostAppFeatures=001fff7f337ff3ff&Build=998&ProdVer=4.4.0.32&EncrVer=3.9.2.5&Machine=JC8RXKWL&Disk=E8LEL4BB&Uuid=dc8a5f3e-a716-11ed-a50d-d05099db2398&FormHFT=Yes&SelServer=Yes&AcroProduct=Reader&AcroVersion=21.1792&AcroReader=Yes&AcroCanEdit=Yes&AcroPrefIDib=Yes&InBrowser=No&IEProtectedMode=Unknown&HostAppName=&DocIsLocal=Yes&DocPathUrl=file%3A%2F%2F%2FC%7C%2FProgram%20Files%2FFileOpen%2Fexamples%2Finstallcomplete.pdf&VolName=&VolType=Fixed&VolSN=1160136908&FSName=NTFS&FowpKbd=Yes&ScreenHook=Yes&Broker=Yes&RejectedDlls=&OSName=WindowsWin8%2064bit&OSBuild=Build%209200&RequestSchema=Default HTTP/1.1User-Agent: "Acrobat Reader FileOpen Plug-in"Host: plugin.fileopen.comConnection: Keep-AliveCache-Control: no-cache
Source: unknownHTTPS traffic detected: 72.3.136.136:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknownHTTPS traffic detected: 72.3.136.132:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: FileOpenInstaller.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A768B0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA1180
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A77510
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A87640
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AAA224
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC421C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADA15C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AFA2DC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A8E320
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF626C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF44EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC4484
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600B006CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AEA720
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC4700
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF44EC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC4968
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A7C9A0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AE6A68
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADEBD8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADABC8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADECF4
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC4C48
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADEE14
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AD0E04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADEF30
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A8EFE0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC4F3C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600B050CC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADD110
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC521C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADB18C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AEB2C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AE528C
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A8F42F
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A85400
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AFD384
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC54E8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AFB568
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC57C8
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF5AAC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC3A78
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF7C04
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADDB50
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A8DB40
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1BA0
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC3CFC
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ADE000
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AC3F98
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A75F80
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0ED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0F02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0F6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DE7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD7850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD5A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668EF9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DEDB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F2A95C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E08B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E23B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F299B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E22A7C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E07A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0FC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668EEEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0ECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E1EBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F1CB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0AC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E20DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F3FD98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E47EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F29DB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E1F024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E8BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DEEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01130
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F1FF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E18220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F09280
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E5F1C0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E1F2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DEE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DEF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DE5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E074F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E094D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F333AC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0B540
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F3D5A4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E4A820
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0D7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F0ED98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F0F02C
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD8180
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0F6A0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DE7640
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD5A10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668EF9974
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DEDB30
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E08B10
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F299B4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E07A70
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F0FC40
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668EEEBEC
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F0ECB4
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E1EBA0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F1CB98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F0AC04
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD8DE0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E20DF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E01D50
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E47EC0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E03E90
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E1F024
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E8BFF0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DEEFD0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F1FF98
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E18220
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E011F3
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E1F2F6
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DEE310
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DEF41F
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DE5400
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E074F0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E094D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0B540
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0D7D0
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E39860
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD7850
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668DDF490 appears 44 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668DD7FE0 appears 60 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668E003A0 appears 61 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668DDB970 appears 48 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668E5D2E0 appears 40 times
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: String function: 00007FF668E50CE0 appears 34 times
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: String function: 00007FF600AEC918 appears 48 times
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A768B0 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A77510 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,FindCloseChangeNotification,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A77AF0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A75F80 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD8DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD8180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,FindCloseChangeNotification,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD7850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD93C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD8180 GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,LocalAlloc,NtCreatePort,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrlenA,LocalAlloc,lstrcpyA,CreateSemaphoreW,InitializeCriticalSection,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,EnterCriticalSection,LeaveCriticalSection,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD8DE0 LocalAlloc,NtReplyWaitReceivePortEx,NtReplyWaitReceivePort,CloseHandle,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,SetEvent,EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD93C0 EnterCriticalSection,LeaveCriticalSection,ReleaseSemaphore,NtConnectPort,LocalFree,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,SetEvent,WaitForSingleObject,CloseHandle,SetEvent,WaitForSingleObject,EnterCriticalSection,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,LeaveCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,LocalFree,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD7850 GetLastError,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,LocalFree,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcessId,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A8E320: LocalAlloc,CreateFileW,CreateEventW,GetCurrentThreadId,DeviceIoControl,GetLastError,WaitForMultipleObjects,GetOverlappedResult,LocalAlloc,LocalAlloc,OpenProcess,CloseHandle,LocalFree,LocalFree,ResetEvent,CancelIo,CloseHandle,CloseHandle,LocalFree,CloseHandle,EnterCriticalSection,LeaveCriticalSection,LocalFree,LocalFree,SetEvent,
Source: FileOpenInstaller.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NSHSA.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-FC998.tmp.4.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: FileOpenInstaller.exe, 00000000.00000000.2482388575.0000000000541000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002905000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2795690428.0000000002448000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs FileOpenInstaller.exe
Source: FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FE31000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: FileOpenInstaller.exeBinary or memory string: OriginalFileName vs FileOpenInstaller.exe
Source: is-FC998.tmp.4.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 2K dictionary
Source: C:\Users\user\Desktop\FileOpenInstaller.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpSection loaded: edgegdi.dll
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeSection loaded: edgegdi.dll
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeSection loaded: edgegdi.dll
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeSection loaded: edgegdi.dll
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A895C0 OpenSCManagerW,OpenServiceW,DeleteService,GetLastError,CloseServiceHandle,SetLastError,GetLastError,CloseServiceHandle,SetLastError,
Source: C:\Users\user\Desktop\FileOpenInstaller.exeFile read: C:\Users\user\Desktop\FileOpenInstaller.exeJump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\FileOpenInstaller.exe C:\Users\user\Desktop\FileOpenInstaller.exe
Source: C:\Users\user\Desktop\FileOpenInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe C:\Program Files\FileOpen\Services\FileOpenManager64.exe
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: unknownProcess created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FileOpenManager
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A7A260 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668DD6F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668DD6F80 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,LocalFree,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\Desktop\FileOpenInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmpJump to behavior
Source: classification engineClassification label: clean16.winEXE@19/50@2/2
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: OpenSCManagerA,GetLastError,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,SetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,GetLastError,SetLastError,
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET = WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr - Can't sqlite3_step a '%s' row. Result code %d - Err message '%s'.
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdpr - Can't sqlite3_prepare_v2 a '%s' statement. Result code %d - Err message '%s'.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. query '%s'
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';gdprGDPRfotkLibSqliteSchema.cpp.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (,) VALUES ('datetime('now')%u);fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdpr. The Gdpr database must be updated.
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: SELECT sql FROM sqlite_master WHERE type='table' AND name = '%s';
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: SELECT idx FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: SELECT * FROM %s WHERE pubId = %d AND url = '%s';
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. GetLibSqliteDbGdprState. query '%s'
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT * FROM sqlite_master;
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT tbl_name FROM sqlite_master WHERE type='table' AND name='%s';SqliteCookies.cpp:%d. GetSqliteDbCookieContent - SQL '%s' returns error '%s'.
Source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s = %u WHERE %s = %d AND %s = '%s';fotkSqliteStorage.cpp:%d. SetLibSqliteDbGdprState. query '%s'
Source: FileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drBinary or memory string: SELECT %s FROM %s WHERE %s = %d AND %s = '%s';
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,
Source: C:\Users\user\Desktop\FileOpenInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\FileOpenInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA0EE0 CreateToolhelp32Snapshot,CloseHandle,CloseHandle,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeMutant created: \Sessions\1\BaseNamedObjects\Ipc2Cnt$1674Mutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpenJump to behavior
Source: FileOpenInstaller.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpWindow found: window name: TMainForm
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileOpenClient_is1Jump to behavior
Source: FileOpenInstaller.exeStatic file information: File size 6831336 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpenJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\is-NSHSA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\is-9KV5A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\examplesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\examples\is-5NKPI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\ServicesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\Services\is-JKV7N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\Services\is-FC998.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDirectory created: C:\Program Files\FileOpen\unins000.msgJump to behavior
Source: FileOpenInstaller.exeStatic PE information: certificate valid
Source: FileOpenInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdbj source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\AcroClient-WinInstallers\FileOpenInstallerExe\UtilDll\Release\UtilDll.pdb source: UtilDll.dll.4.dr, is-9KV5A.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenManager64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, FileOpenManager64.exe, 0000000C.00000002.3719999030.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, FileOpenManager64.exe, 0000000C.00000000.2731798759.00007FF600B07000.00000002.00000001.01000000.00000009.sdmp, is-FC998.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenPlugin32.B998.pdb source: is-GV932.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace64.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-x64-RelWithDebInfo\RelWithDebInfo\FileOpenBroker64.pdbi source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenBrokerTrace32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dev\FileOpenClient-dev\build-Win32-RelWithDebInfo\RelWithDebInfo\FileOpenManager32.pdb source: FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003E70000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\FileOpenInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: C:\Users\user\Desktop\FileOpenInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp "C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
Source: FileOpenInstaller.exeStatic PE information: section name: .didata
Source: FileOpenInstaller.tmp.0.drStatic PE information: section name: .didata
Source: is-NSHSA.tmp.4.drStatic PE information: section name: .didata
Source: is-JKV7N.tmp.4.drStatic PE information: section name: _RDATA
Source: is-FC998.tmp.4.drStatic PE information: section name: _RDATA
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A75A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary,
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\Services\is-FC998.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\Services\is-JKV7N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\is-NSHSA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\is-9KV5A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\UtilDll.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\UtilDll.dllJump to dropped file
Source: C:\Users\user\Desktop\FileOpenInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txtJump to behavior
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA1390 WTSGetActiveConsoleSessionId,lstrcmpiA,StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBrokerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileOpenBrokerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
Source: C:\Users\user\Desktop\FileOpenInstaller.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDropped PE file which has not been started: C:\Program Files\FileOpen\is-9KV5A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeAPI coverage: 6.5 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeAPI coverage: 7.7 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeAPI coverage: 3.5 %
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetAdaptersInfo,FreeLibrary,FreeLibrary,FreeLibrary,
Source: C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmpProcess information queried: ProcessInformation
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA0FD0 GetSystemInfo,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF1BA0 FindFirstFileExW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AF203C FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01130 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E01470 FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0BC20 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0BD50 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E03E90 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E011F3 FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,FindClose,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E016AB FindNextFileA,GetLastError,FindClose,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindFirstFileA,GetLastError,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E0B900 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E12880 FindFirstFileA,CreateFileA,GetFileTime,CloseHandle,CopyFileA,FindNextFileA,FindClose,CloseHandle,
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A75A00 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,LocalFree,FreeSid,FreeSid,LocalFree,FreeLibrary,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A7E1D0 GetProcessHeap,HeapAlloc,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA618C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA66D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA68C0 SetUnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600ACDEE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668E9D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F14010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668E9D990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 16_2_00007FF668F14010 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A87640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A87640 GetModuleHandleA,GetProcAddress,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentProcess,AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,LocalFree,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeQueries volume information: C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd VolumeInformation
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: GetLocaleInfoW,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600B046C0 cpuid
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600AA6538 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Program Files\FileOpen\Services\FileOpenBroker64.exeCode function: 13_2_00007FF668F0ED98 GetTimeZoneInformation,
Source: C:\Program Files\FileOpen\Services\FileOpenManager64.exeCode function: 12_2_00007FF600A7A230 GetVersion,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Command and Scripting Interpreter		16
Windows Service		1
Access Token Manipulation		3
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium11
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts13
Service Execution		1
Registry Run Keys / Startup Folder		16
Windows Service		1
Access Token Manipulation		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		1
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)1
Registry Run Keys / Startup Folder		11
Deobfuscate/Decode Files or Information		NTDS2
System Owner/User Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer4
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon Script1
DLL Side-Loading		1
Obfuscated Files or Information		LSA Secrets1
System Network Configuration Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync34
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800687 Sample: FileOpenInstaller.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 16 44 usr.fileopen.com 2->44 46 plugin.fileopen.com 2->46 8 FileOpenInstaller.exe 2 2->8         started        12 FileOpenBroker64.exe 2->12         started        14 FileOpenManager64.exe 2->14         started        process3 file4 42 C:\Users\user\...\FileOpenInstaller.tmp, PE32 8->42 dropped 52 Obfuscated command line found 8->52 16 FileOpenInstaller.tmp 26 41 8->16         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->34 dropped 36 C:\Users\user\AppData\Local\...\UtilDll.dll, PE32 16->36 dropped 38 C:\Program Files\...\unins000.exe (copy), PE32 16->38 dropped 40 9 other files (none is malicious) 16->40 dropped 19 FileOpenBroker64.exe 2 19 16->19         started        22 sc.exe 1 16->22         started        24 sc.exe 1 16->24         started        26 2 other processes 16->26 process8 dnsIp9 48 plugin.fileopen.com 72.3.136.132, 443, 49804, 49805 RMH-14US United States 19->48 50 usr.fileopen.com 72.3.136.136, 443, 49803 RMH-14US United States 19->50 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FileOpenInstaller.exe0%VirustotalBrowse
FileOpenInstaller.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)2%ReversingLabs
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)0%VirustotalBrowse
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmp2%ReversingLabs
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmp0%VirustotalBrowse
C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)0%ReversingLabs
C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)0%ReversingLabs
C:\Program Files\FileOpen\Services\is-FC998.tmp0%ReversingLabs
C:\Program Files\FileOpen\Services\is-JKV7N.tmp0%ReversingLabs
C:\Program Files\FileOpen\UtilDll.dll (copy)0%ReversingLabs
C:\Program Files\FileOpen\is-9KV5A.tmp0%ReversingLabs
C:\Program Files\FileOpen\is-NSHSA.tmp0%ReversingLabs
C:\Program Files\FileOpen\unins000.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\UtilDll.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.remobjects.com/ps0%Avira URL Cloudsafe
http://www.innosetup.com/0%Avira URL Cloudsafe
http://www.innosetup.com/3%VirustotalBrowse
http://www.remobjects.com/ps1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
usr.fileopen.com
72.3.136.136
truefalse
    		high
    plugin.fileopen.com
    		72.3.136.132
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://usr.fileopen.com/check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUX+9uW5qs0U4Ek=false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.innosetup.com/FileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drfalse
        • 3%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://fileopen.com/updatesFileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drfalse
          		high
          https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUFileOpenInstaller.exefalse
            		high
            http://www.fileopen.com/request-tech-support/FileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://usr.fileopen.com/check/usr/ZHAk7YpwDRdZvZq3ePSvK2nhY4hHWUXFileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.fileopen.com/request-tech-support/Zhttp://www.fileopen.com/request-tech-support/FileOpenInstaller.exe, 00000000.00000003.2483235521.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2499714116.0000000003650000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://fileopen.comFileOpenBroker64.exe, FileOpenBroker64.exe, 00000010.00000000.2815621930.00007FF668FC8000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drfalse
                    		high
                    http://www.fileopen.com/request-tech-support/qFileOpenInstaller.tmp, 00000004.00000003.2788287916.00000000025E1000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://plugin.fileopen.com/.FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003C5E000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003AB5000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000003.2775176990.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3723165095.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000000.2735368706.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DD40000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000000.2815055164.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, FileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 00000010.00000002.2820538293.00007FF668F4B000.00000002.00000001.01000000.0000000A.sdmp, is-JKV7N.tmp.4.dr, is-GV932.tmp.4.drfalse
                        		high
                        http://www.fileopen.com/%sPluginis-GV932.tmp.4.drfalse
                          		high
                          http://www.fileopen.com/0FileOpenInstaller.exe, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drfalse
                            		high
                            http://www.fileopen.com/request-tech-support/0AFileOpenInstaller.exe, 00000000.00000003.2795690428.000000000243E000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://plugin.fileopen.com/installcomplete.ashx?Request=DocPerm&Stamp=1675795218&Mode=CNR&USR=10007FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.remobjects.com/psFileOpenInstaller.exe, 00000000.00000003.2487120202.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.exe, 00000000.00000003.2484508219.0000000002820000.00000004.00001000.00020000.00000000.sdmp, FileOpenInstaller.tmp, 00000004.00000000.2493227668.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-NSHSA.tmp.4.dr, FileOpenInstaller.tmp.0.drfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://plugin.fileopen.com/installcomplete.ashx?Request=Setting&Stamp=1675795217&Mode=CNR&USR=10007FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://usr.fileopen.com/_FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://usr.fileopen.com/FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fileopen.com/%sis-GV932.tmp.4.drfalse
                                        		high
                                        http://plugin.fileopen.com/.nFileOpenBroker64.exe, 00000010.00000002.2817935948.0000021445E97000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://plugin.fileopen.com/FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmp, FileOpenBroker64.exe, 0000000D.00000002.3718619772.000002253DDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://plugin.fileopen.com//&FileOpenBroker64.exe, 0000000D.00000002.3720780457.000002253FA30000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              72.3.136.136
                                              		usr.fileopen.comUnited States
                                              		33070RMH-14USfalse
                                              72.3.136.132
                                              		plugin.fileopen.comUnited States
                                              		33070RMH-14USfalse

                                              General Information

                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                              Analysis ID:800687
                                              Start date and time:2023-02-07 18:37:52 +01:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 18s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                              Run name:Potential for more IOCs and behavior
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:FileOpenInstaller.exe
                                              Detection:CLEAN
                                              Classification:clean16.winEXE@19/50@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:
                                              • Successful, ratio: 99.2% (good quality ratio 85%)
                                              • Quality average: 65.4%
                                              • Quality standard deviation: 35.9%
                                              HCA Information:
                                              • Successful, ratio: 64%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, UsoClient.exe
                                              • Excluded IPs from analysis (whitelisted): 2.19.126.92, 2.19.126.76, 2.21.22.155, 2.21.22.179
                                              • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, ctldl.windowsupdate.com, wdcp.microsoft.com, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              18:40:11AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run FileOpenBroker "C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\FileOpen.api (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):2241536
                                              Entropy (8bit):6.648410638768628
                                              Encrypted:false
                                              SSDEEP:49152:BusBOEuaRuJCN0900HR88Pix+oiDMpyQmdVqyWy9vSL6TzjolA:BuswEuaRzN090MRnP/fqyWyBS
                                              MD5:319DDB9C9900DD2BDFE2AF7009BF3A83
                                              SHA1:B5F8BB5055F944DFBC38720BC30C2747F2989116
                                              SHA-256:491673ED8FB7AFCF76204DD82079B365F4CD03EBC31452A40D45AA0F952038A5
                                              SHA-512:DFBBFCF35F39195C326AE7CA2B36224C460B4231AFA042562CE0DA0664316A5068A3BD7544937B53C6167412041DF7D0DB14612FFD11540D097998B52F060E1A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............................................................................1....................}.......}.......}.......}.y.............}.......Rich....................PE..L......b...........!.........r................................................*.......................................................).......................).0.......T...............................@...............|............................text............................... ..`.rdata..............................@..@.data............L..................@....rsrc.........)...... !.............@..@.reloc..0.....)......2!.............@..B................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\is-GV932.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):2241536
                                              Entropy (8bit):6.648410638768628
                                              Encrypted:false
                                              SSDEEP:49152:BusBOEuaRuJCN0900HR88Pix+oiDMpyQmdVqyWy9vSL6TzjolA:BuswEuaRzN090MRnP/fqyWyBS
                                              MD5:319DDB9C9900DD2BDFE2AF7009BF3A83
                                              SHA1:B5F8BB5055F944DFBC38720BC30C2747F2989116
                                              SHA-256:491673ED8FB7AFCF76204DD82079B365F4CD03EBC31452A40D45AA0F952038A5
                                              SHA-512:DFBBFCF35F39195C326AE7CA2B36224C460B4231AFA042562CE0DA0664316A5068A3BD7544937B53C6167412041DF7D0DB14612FFD11540D097998B52F060E1A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............................................................................1....................}.......}.......}.......}.y.............}.......Rich....................PE..L......b...........!.........r................................................*.......................................................).......................).0.......T...............................@...............|............................text............................... ..`.rdata..............................@..@.data............L..................@....rsrc.........)...... !.............@..@.reloc..0.....)......2!.............@..B................................................................................................................................................................................................................................................................

                                              C:\Program Files\FileOpen\Services\FileOpenBroker64.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):2089968
                                              Entropy (8bit):6.41503010887335
                                              Encrypted:false
                                              SSDEEP:24576:R+hVl0FSQ2s1dPpvaTRNiNkedM/oyJv0AIOa9IOeBvAUaY0BAARMh8eh+YE7+D:wSFSQ2q9pCeKfv0AhRBvAUYWh8ea7+D
                                              MD5:DE1A88EBE38A4EB36E2C88B1A69A0251
                                              SHA1:4C81B58FB221AAC3B36C86A2376A42051F5FB160
                                              SHA-256:8741A8BB6FBFED7119C1BDECF8EF5C4E5FAEED79208CA1DD78675AC95492B135
                                              SHA-512:251D051FFEA15C050E61AE4E63F2FCBD50AAAFB92700756D850089D885C203D05AC9B75ABAAB62C767A7A948413D4EB616597BD893C06C557718E731EE52E336
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........g..........................L.............................t.....g.................9......9......9......9...........9......Rich............PE..d......b.........."..........D.................@............................. !.....R. ...`..........................................c.......c........ ..........F...,.......!.....xP..T............................P..8...............x............................text............................... ..`.rdata..............................@..@.data............6...t..............@....pdata...F.......H..................@..@_RDATA........ .....................@..@.rsrc......... .....................@..@.reloc........!.. ..................@..B................................................................................................................................................................

                                              C:\Program Files\FileOpen\Services\FileOpenManager64.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):846816
                                              Entropy (8bit):6.226678050362994
                                              Encrypted:false
                                              SSDEEP:12288:If7ehSp060uzFgjlo85lpywqZdLxCT79mXD4b:If72Sp0FuzFA6wqZdLxCTJM4b
                                              MD5:2ACE6BC0F8B1752879AD54D4EA1938D9
                                              SHA1:C08CAA63D122C0B1DCD6A0855FDD3907905370D8
                                              SHA-256:D9F13C6BC2F459DAD399BA4E300B054A2205E0D6EFF4353BA7A095F0388258C3
                                              SHA-512:2B6B4064A66F6482B639E9BC06A6179E649B0F55E57D1CC73647DD5A48010ED3C25E98C25EE4BDB9487DF28B268BDC9EA58455EB924A78B4342296034C884CF7
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........%..pK..pK..pK...O..pK...H..pK...N.2pK...O..pK...H..pK...M..pK...N..pK...J..pK..pJ.rpK...6..pK...%..pK...N..pK......pK..p...pK...I..pK.Rich.pK.................PE..d....b.........."......Z...~.......\.........@............................. .......D....`.................................................dJ..x....... ....p...t...z...q......t...h...T...............................8............p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data........p.......P..............@....pdata...t...p...v..................@..@_RDATA...............b..............@..@.rsrc... ............d..............@..@.reloc..t............l..............@..B........................................................................................................................................................................

                                              C:\Program Files\FileOpen\Services\is-FC998.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):846816
                                              Entropy (8bit):6.226678050362994
                                              Encrypted:false
                                              SSDEEP:12288:If7ehSp060uzFgjlo85lpywqZdLxCT79mXD4b:If72Sp0FuzFA6wqZdLxCTJM4b
                                              MD5:2ACE6BC0F8B1752879AD54D4EA1938D9
                                              SHA1:C08CAA63D122C0B1DCD6A0855FDD3907905370D8
                                              SHA-256:D9F13C6BC2F459DAD399BA4E300B054A2205E0D6EFF4353BA7A095F0388258C3
                                              SHA-512:2B6B4064A66F6482B639E9BC06A6179E649B0F55E57D1CC73647DD5A48010ED3C25E98C25EE4BDB9487DF28B268BDC9EA58455EB924A78B4342296034C884CF7
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........%..pK..pK..pK...O..pK...H..pK...N.2pK...O..pK...H..pK...M..pK...N..pK...J..pK..pJ.rpK...6..pK...%..pK...N..pK......pK..p...pK...I..pK.Rich.pK.................PE..d....b.........."......Z...~.......\.........@............................. .......D....`.................................................dJ..x....... ....p...t...z...q......t...h...T...............................8............p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data........p.......P..............@....pdata...t...p...v..................@..@_RDATA...............b..............@..@.rsrc... ............d..............@..@.reloc..t............l..............@..B........................................................................................................................................................................

                                              C:\Program Files\FileOpen\Services\is-JKV7N.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):2089968
                                              Entropy (8bit):6.41503010887335
                                              Encrypted:false
                                              SSDEEP:24576:R+hVl0FSQ2s1dPpvaTRNiNkedM/oyJv0AIOa9IOeBvAUaY0BAARMh8eh+YE7+D:wSFSQ2q9pCeKfv0AhRBvAUYWh8ea7+D
                                              MD5:DE1A88EBE38A4EB36E2C88B1A69A0251
                                              SHA1:4C81B58FB221AAC3B36C86A2376A42051F5FB160
                                              SHA-256:8741A8BB6FBFED7119C1BDECF8EF5C4E5FAEED79208CA1DD78675AC95492B135
                                              SHA-512:251D051FFEA15C050E61AE4E63F2FCBD50AAAFB92700756D850089D885C203D05AC9B75ABAAB62C767A7A948413D4EB616597BD893C06C557718E731EE52E336
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........g..........................L.............................t.....g.................9......9......9......9...........9......Rich............PE..d......b.........."..........D.................@............................. !.....R. ...`..........................................c.......c........ ..........F...,.......!.....xP..T............................P..8...............x............................text............................... ..`.rdata..............................@..@.data............6...t..............@....pdata...F.......H..................@..@_RDATA........ .....................@..@.rsrc......... .....................@..@.reloc........!.. ..................@..B................................................................................................................................................................

                                              C:\Program Files\FileOpen\UtilDll.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):223744
                                              Entropy (8bit):6.552035196075477
                                              Encrypted:false
                                              SSDEEP:6144:Q4L7/E4GpmEXrLTilLKvMoiLQpQuK2cVAORcC75FI:K4GpmEXrLTiwvlQjuK2arR5FI
                                              MD5:79F2386CF7296E8661997193CF01BAAD
                                              SHA1:726FEA5EABC5B38981B1D6CC5B8BE01212C90616
                                              SHA-256:101EBA215EF5F833EC332DA2C803FBFF060EB55F32A88EC261B5C4192528E6DD
                                              SHA-512:123F4FFA772FDE8F901ABF12C49B78EB81975E5E5F38A8EF80C10B4CA08DA422C42EE72F51155FC87A6726217A29B0E8BF22CB927347D324D41E87485C5EFF7E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....p...p...p.us...p.uu.n.p.ut...p..mt...p..ms...p..mu..p.uq...p...q..p.Nly...p.Nlp...p.Nl....p.......p.Nlr...p.Rich..p.........PE..L...[F9`...........!.....$...P..............@............................................@..........................<..l....>..x....p.......................... "......p...............................@............@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...T....P.......0..............@....rsrc........p.......@..............@..@.reloc.. ".......$...F..............@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\FileOpen\examples\installcomplete.pdf (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PDF document, version 1.6 (zip deflate encoded)
                                              Category:dropped
                                              Size (bytes):162991
                                              Entropy (8bit):7.995368768567606
                                              Encrypted:true
                                              SSDEEP:3072:HAmvwgsSx/UW0CSz15sU1mHNPKYm+HfJkGspEX+OQJv5RComJGD:HbXdECSzvm9KIH7aM+yuD
                                              MD5:D020B6FF764F08684688E772BCCFFA99
                                              SHA1:117CCBA4D83B17914F4FF1FFE1996540A041C507
                                              SHA-256:A6EF65B36F8521FC67269B9FBD024C7E98E0207AE76C8BECA9B289F125F92383
                                              SHA-512:5C8E7FFD0CBB3205F9164EF83500A9353C3D3F052FA4167AB0F49DE44CA29CF90982CCD767646D339A64A0F26446CEC4BA447D1CFD71388B17DD47F0DFEE35F8
                                              Malicious:false
                                              Preview:%PDF-1.6.%......38 0 obj<</Linearized 1/L 162991/O 40/E 157459/N 1/T 162689/H [ 564 199]>>.endobj. ..66 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<FE2312A4B89FD64A94044C8C74BAEF85><7653CFFF47F8504296A48EE78CC73A7D>]/Index[38 50]/Info 37 0 R/Length 128/Prev 162689/Root 39 0 R/Size 88/Type/XRef/W[1 3 1]/Encrypt 87 0 R>>stream..x.cbd`.``b``s....A$......Dr.....`.).T...`..`R.,..D2>....".?.E.A......$..7.m...E...m 2#..f,..f..u....K.*..].6...N...&.w 7\b....o..endstream.endobj.startxref..0..%%EOF.. ..86 0 obj<</C 131/Filter/FlateDecode/I 115/Length 113/S 38>>stream..x.c``.b``{.....`..........YL..........,."b..q.rD.m.o...K.....fj...l;..WB..@.OyF..):/...00UYC,`t..L...>.Q.........endstream.endobj. .. ..87 0 obj<</Filter/FOPN_foweb/V 1/Length 40/VEID(9.1)/BUILD(925)/SVID(InstallComplete)/DUID(D-700)/INFO(HgR50GSLkqXShHKestPel17ocyoslBDzOQxbbI1ggGDzJg3a0ibO9nsUYTCH8yDM/ivhsmBnq8p1Au54/T8cq0W8wU5aNOh8aIQgrHDt1oJStrQbMk6GhyM4Cfo

                                              C:\Program Files\FileOpen\examples\is-5NKPI.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PDF document, version 1.6 (zip deflate encoded)
                                              Category:dropped
                                              Size (bytes):162991
                                              Entropy (8bit):7.995368768567606
                                              Encrypted:true
                                              SSDEEP:3072:HAmvwgsSx/UW0CSz15sU1mHNPKYm+HfJkGspEX+OQJv5RComJGD:HbXdECSzvm9KIH7aM+yuD
                                              MD5:D020B6FF764F08684688E772BCCFFA99
                                              SHA1:117CCBA4D83B17914F4FF1FFE1996540A041C507
                                              SHA-256:A6EF65B36F8521FC67269B9FBD024C7E98E0207AE76C8BECA9B289F125F92383
                                              SHA-512:5C8E7FFD0CBB3205F9164EF83500A9353C3D3F052FA4167AB0F49DE44CA29CF90982CCD767646D339A64A0F26446CEC4BA447D1CFD71388B17DD47F0DFEE35F8
                                              Malicious:false
                                              Preview:%PDF-1.6.%......38 0 obj<</Linearized 1/L 162991/O 40/E 157459/N 1/T 162689/H [ 564 199]>>.endobj. ..66 0 obj<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<FE2312A4B89FD64A94044C8C74BAEF85><7653CFFF47F8504296A48EE78CC73A7D>]/Index[38 50]/Info 37 0 R/Length 128/Prev 162689/Root 39 0 R/Size 88/Type/XRef/W[1 3 1]/Encrypt 87 0 R>>stream..x.cbd`.``b``s....A$......Dr.....`.).T...`..`R.,..D2>....".?.E.A......$..7.m...E...m 2#..f,..f..u....K.*..].6...N...&.w 7\b....o..endstream.endobj.startxref..0..%%EOF.. ..86 0 obj<</C 131/Filter/FlateDecode/I 115/Length 113/S 38>>stream..x.c``.b``{.....`..........YL..........,."b..q.rD.m.o...K.....fj...l;..WB..@.OyF..):/...00UYC,`t..L...>.Q.........endstream.endobj. .. ..87 0 obj<</Filter/FOPN_foweb/V 1/Length 40/VEID(9.1)/BUILD(925)/SVID(InstallComplete)/DUID(D-700)/INFO(HgR50GSLkqXShHKestPel17ocyoslBDzOQxbbI1ggGDzJg3a0ibO9nsUYTCH8yDM/ivhsmBnq8p1Au54/T8cq0W8wU5aNOh8aIQgrHDt1oJStrQbMk6GhyM4Cfo

                                              C:\Program Files\FileOpen\is-9KV5A.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):223744
                                              Entropy (8bit):6.552035196075477
                                              Encrypted:false
                                              SSDEEP:6144:Q4L7/E4GpmEXrLTilLKvMoiLQpQuK2cVAORcC75FI:K4GpmEXrLTiwvlQjuK2arR5FI
                                              MD5:79F2386CF7296E8661997193CF01BAAD
                                              SHA1:726FEA5EABC5B38981B1D6CC5B8BE01212C90616
                                              SHA-256:101EBA215EF5F833EC332DA2C803FBFF060EB55F32A88EC261B5C4192528E6DD
                                              SHA-512:123F4FFA772FDE8F901ABF12C49B78EB81975E5E5F38A8EF80C10B4CA08DA422C42EE72F51155FC87A6726217A29B0E8BF22CB927347D324D41E87485C5EFF7E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....p...p...p.us...p.uu.n.p.ut...p..mt...p..ms...p..mu..p.uq...p...q..p.Nly...p.Nlp...p.Nl....p.......p.Nlr...p.Rich..p.........PE..L...[F9`...........!.....$...P..............@............................................@..........................<..l....>..x....p.......................... "......p...............................@............@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...T....P.......0..............@....rsrc........p.......@..............@..@.reloc.. ".......$...F..............@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\FileOpen\is-NSHSA.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):3119936
                                              Entropy (8bit):6.073128166324036
                                              Encrypted:false
                                              SSDEEP:49152:IR/KpmZubPf2S8W2ILeWl+C1p9jWy5Mnd0wigbLNDH:O/jtYLP1Sy5i0qH
                                              MD5:B7988AC379CEAA456BAA3EF19EB55263
                                              SHA1:15C13A91E64739C76FF48E20C5BB4182AAD94339
                                              SHA-256:69383793D354F2A95D88F610B0559F321F37C97197554CD1E9D6D30B038C352D
                                              SHA-512:22D4544911F496B22AF502869CBDFBC371617A418EB8010319D1842A862F84CA2CA23F1BE505C5F03BD404CB2EE5E489B1FE86B3047356ACE3965F5494AA9FA6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@..........................`0.....5./...@......@....................'.......&..5...0'.|+...........z/.@!................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc...|+...0'..,...N&.............@..@............. (......:'.............@..@........................................................

                                              C:\Program Files\FileOpen\unins000.dat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:InnoSetup Log 64-bit FileOpen Client B998, version 0x418, 28298 bytes, 724536\37\user\37, C:\Program Files\FileOpen\376\377\377\007
                                              Category:dropped
                                              Size (bytes):28298
                                              Entropy (8bit):3.9283973556016476
                                              Encrypted:false
                                              SSDEEP:384:JCEwFsZAIXuAhKCVMneFqf8cGKBUorhr+2NQfiA1kK0bPImRZ8dAHM:JQIRYiBKBUoF62lbbZ4
                                              MD5:AC044F627C6750CDDEDC6466460B8335
                                              SHA1:F57FFA62EB27BD8DF86C010885F29A4ED1DE25C7
                                              SHA-256:16C0FD51135214FCEF99AB370B5D6E91478789115259887E5D6E8A36AE84030C
                                              SHA-512:60A5845FABA55BB9281D34F1F8AA99972BB33D11E85851E46D30AC7C8C9F3A2C0C484AB42CCE6439717EEA7466316EC9A368B8760FE148E58BA7FDA4CD2D5708
                                              Malicious:false
                                              Preview:Inno Setup Uninstall Log (b) 64-bit.............................FileOpenClient..................................................................................................................FileOpen Client B998.....................................................................................................................n.....................................................................................................................w.........d.j......o........7.2.4.5.3.6......A.r.t.h.u.r......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.i.l.e.O.p.e.n................(...}.. ......].......IFPS....'...P....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM..........................................................................."..

                                              C:\Program Files\FileOpen\unins000.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):3119936
                                              Entropy (8bit):6.073128166324036
                                              Encrypted:false
                                              SSDEEP:49152:IR/KpmZubPf2S8W2ILeWl+C1p9jWy5Mnd0wigbLNDH:O/jtYLP1Sy5i0qH
                                              MD5:B7988AC379CEAA456BAA3EF19EB55263
                                              SHA1:15C13A91E64739C76FF48E20C5BB4182AAD94339
                                              SHA-256:69383793D354F2A95D88F610B0559F321F37C97197554CD1E9D6D30B038C352D
                                              SHA-512:22D4544911F496B22AF502869CBDFBC371617A418EB8010319D1842A862F84CA2CA23F1BE505C5F03BD404CB2EE5E489B1FE86B3047356ACE3965F5494AA9FA6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@..........................`0.....5./...@......@....................'.......&..5...0'.|+...........z/.@!................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc...|+...0'..,...N&.............@..@............. (......:'.............@..@........................................................

                                              C:\Program Files\FileOpen\unins000.msg

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:InnoSetup messages, version 6.0.0, 243 messages (UTF-16), Cancel installation
                                              Category:dropped
                                              Size (bytes):23409
                                              Entropy (8bit):3.2729698372223375
                                              Encrypted:false
                                              SSDEEP:192:M1EXSCkf3STsfr69FTyPanTa1tznL7VF+Iqfc51U5YQDztXfbKJg/Bfvo:M196ir64+WX+7Q1U5YQDzt7/B3o
                                              MD5:DD3DDF5C06B1D597A1D4B0897CEAF095
                                              SHA1:E6BC22523D9AA34063FE76ED9108376DD35C7DD8
                                              SHA-256:B3F9AF6EC27F42D6F895794CCF28C4100FEFFDF20505E19C6C37A00826D6B82C
                                              SHA-512:80D57A14EF8AC41E6A1630C5CA4552421A5A6490BED6318068E5AB34440428DF4D7258199A8B06BF158604E079D4D2525DA5E75A781D0E1F15984208FD68268E
                                              Malicious:false
                                              Preview:Inno Setup Messages (6.0.0) (u).....................................$[...../.1.C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                              C:\ProgramData\FileOpen\Updates\L10n\fotk_de.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (12648), with no line terminators
                                              Category:dropped
                                              Size (bytes):12648
                                              Entropy (8bit):5.997991870273226
                                              Encrypted:false
                                              SSDEEP:384:vH6NHxuYvSxaFjN43mKAIz03TuslDR6mZ/juc:yNRuYvSxaFJRIqTvlDR6mZ/l
                                              MD5:1FF1A88C097A10AF0D2CB463BBB5E4C9
                                              SHA1:D149B1D0BCD84FAD9A4BD143E7837999BC840141
                                              SHA-256:3E077B1A201D71636DD045F7B2694AFEE90881DF97704B012DC947C7429492A7
                                              SHA-512:82AA26F7E0D877A0BEA8D55C57D4D6B98DF283C04360C730E6ED385A589D16438F9BC00B80609B48C33028202661E7343DD4A13A53AE31B6C9A4D8C2E63D1023
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600010072wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zRFBKRDtypz8MHsvOxXIrTq4HwI3gUHxIekwE6otym/yYLUZP7PlEy8O/bpGxW6LzHdWOK3fYHRItpDgBaA5X1AxvY2BO/XOfKySo1Db21+l9H//wtfYGiYOORGAUa1z2iOm5ELO3M+r0ktrNKBZRnxOzECsQsuEa/+1aidVgmCcr5OGJOHDz1NMK0yOvHorXY0lEp0E8UW2oOSovzMqnXNMMwnohZZA/WgMLkGJRbbRp9Qe/tz3PFPaGTc4c9uJpl1CN1n1v3n8ScqDkHNQ72m3NFqoEU0IBA6ZMCFRpB3PAx6VQgER3kQUB75gSOYlRe8OFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQjkOEJyuwk/x+rXId0ne1yi+dcSgih/kSGGEPnISAxskQFCkrqpWfdTJRMD+7negc2tQRjAdpaFIUKJ3ZmXmCKxTaC1F6Ypjp3YJgAGYhkGRrDT7f7tmBmM3Ow5R/RSIhc8U4Q0Fy8Di3AuIKcZ+nXYkKRyHT1OkxMuL8xtcwK52NpN6KGI1McXLIYi4k+HzXQmksHytorOvcqNT4YD+NUbyJyyeauJSvGYqPNvlvmsw05oIGDH5KOHUIey+9vGyP9DWqMfxM/i+Z8rZw9WUzh9qvZukWUF/Kvhnlci82eegqCdG4MGbsfIubxfArCfQ65jKl1B+H+h5HWyMsIaPrntbQhi4sgM5tYYGqros0o0pzGZFCESgBxPPy/Pe/AorFJsKjzsDfsF/bSeAfJN8lv0SL8JrbukctqROb8gziqsrvHbz1esn4PYRWw3BfHICa8/fiHRQZ7q83b6piRBqYzU91yqG+1ytB7jBh7A7PjNuR7DMMIVdohKwKMjawkIQHxFj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\fotk_fr.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (12752), with no line terminators
                                              Category:dropped
                                              Size (bytes):12752
                                              Entropy (8bit):5.999182781405648
                                              Encrypted:false
                                              SSDEEP:384:b477Sr0GX7TA4Sx6RHk73hrtoueh5Fix0:b477SH/APE2hrto1h5B
                                              MD5:02D3A1C956563BA31087EE811BCF1F41
                                              SHA1:6BDDFE58549C328D810B15B37BF93BCFCAB1A14B
                                              SHA-256:E6DCD083958DB6FB9A3FB75A9ED320638C3CBF97B69AA24AAF68E96FB644F9F1
                                              SHA-512:A385C69D7CFD88F637D3553BEEFA502563E9620FBA1C502DBCB7CF868383F1CF86D6578FCCCE0EF6B5D0E246E1F94313FF6A3AC01B1529AC78DF5F376B76C3E2
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600010176wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zShBKRDtypz8MHsvOxXIrTqaHwI3gUHxIekwE6otym/yebUZP7PlEy8O/bpGxW6LzHxWOK3fYHRItpDgBaA5X1A5vY2BO/XOfKySo1Db21+l93//wtfYGiYOORGAUa1z2ham5ELO3M+r0ktrNKBZRnx/zECsQsuEa/+1aidVgmCcs5OGJOHDz1NMK0yOvHorXYolEp0E8UW2oOSovzMqnXNBMwnohZZA/WgMLkGJRbbRoNQe/tz3PFPaGTc4c9uJplVCN1n1v3n8ScqDkHNQ72mgNFqoEU0IBA6ZMCFRpB3PAx6VQgER3kQUB75gSOYlRcAOFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQjIOEJyuwk/x+rXId0ne1yi9dcSgih/kSGGEPnISAxskRlCkrqpWfdTJRMD+7negc2JQRjAdpaFIUKJ3ZmXmCKw8aC1F6Ypjp3YJgAGYhkGR1TT7f7tmBmM3Ow5R/RSIhb4U4Q0Fy8Di3AuIKcZ+nXY3KRyHT1OkxMuL8xtcwK52RpN6KGI1McXLIYi4k+HzXTWksHytorOvcqNT4YD+NUbvJyyeauJSvGYqPNvlvmsw0ZoIGDH5KOHUIey+9vGyP8vWqMfxM/i+Z8rZw9WUzh8QvZukWUF/Kvhnlci82eegqSdG4MGbsfIubxfArCfQ64TKl1B+H+h5HWyMsIaPrntVQhi4sgM5tYYGqros0o0py2ZFCESgBxPPy/Pe/AorFJoKjzsDfsF/bSeAfJN8lv0aL8JrbukctqROb8gziqsrtHbz1esn4PYRWw3BfHICa6PfiHRQZ7q83b6piRBqYzUh1yqG+1ytB7jBh7A7PjNuK7DMMIVdohKwKMjawkIQHw1j/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\fotk_ja.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (15400), with no line terminators
                                              Category:dropped
                                              Size (bytes):15400
                                              Entropy (8bit):5.998963228052221
                                              Encrypted:false
                                              SSDEEP:192:sT4SmJg9IPU7nKZ7FknvIyD4s892kYOPM/vUm7Z1pTD/fOa8n9td6XBgD9IEbHxO:+4SuPUmXknvb04kXoMmjpH/GtnOBShK
                                              MD5:7DD5A9A2ED2E595E660EAB7B06449720
                                              SHA1:992CAD591FB818A66DFEC96CC32B5B94739692FF
                                              SHA-256:168ED420AB4AC7C5468362EE5804A1EE1BC2304B3A61884ADF1D9E764E66F889
                                              SHA-512:2C335278E6E67FD26AF6DCFC50417CB70EA35BDB4ABA5185F023AEC6BA1948F096677B4A6DA3539B746CC79378F6DAB82F386995CD56F3BD9F977815B11FE699
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600012824wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zQFBKRDtypz8MHsvOxXIrTrvHwI3gUHxIekwE6otym/yHbUZP7PlEy8O/bpGxW6LzHtWOK3fYHRItpDgBaA5X1AXvY2BO/XOfKySo1Db21+lg3//wtfYGiYOORGAUa1z2iam5ELO3M+r0ktrNKBZRnxIzECsQsuEa/+1aidVgmCc0ZOGJOHDz1NMK0yOvHorXY0lEp0E8UW2oOSovzMqnXNGMwnohZZA/WgMLkGJRbbRrtQe/tz3PFPaGTc4c9uJpm1CN1n1v3n8ScqDkHNQ72mzNFqoEU0IBA6ZMCFRpB3PEx6VQgER3kQUB75gSOYlReMOFEygpaacvJBa+SPwRA0aZu9N3WqHCJ5vks/lgCGrn/fiTI/mokBWgEres7DjQh4OEJyuwk/x+rXId0ne1yihdcSgih/kSGGEPnISAxskQlCkrqpWfdTJRMD+7negcyFQRjAdpaFIUKJ3ZmXmCKwtaC1F6Ypjp3YJgAGYhkGRoDT7f7tmBmM3Ow5R/RSIhbAU4Q0Fy8Di3AuIKcZ+nXZwKRyHT1OkxMuL8xtcwK52OZN6KGI1McXLIYi4k+HzXfOksHytorOvcqNT4YD+NUaPJyyeauJSvGYqPNvlvmswnZoIGDH5KOHUIey+9vGyP9vWqMfxM/i+Z8rZw9WUzh92vZukWUF/Kvhnlci82eegvydG4MGbsfIubxfArCfQ6+XKl1B+H+h5HWyMsIaPrnszQhi4sgM5tYYGqros0o0pr2ZFCESgBxPPy/Pe/AorFOQKjzsDfsF/bSeAfJN8lv1rL8JrbukctqROb8gziqsr73bz1esn4PYRWw3BfHICa7HfiHRQZ7q83b6piRBqYzUR1yqG+1ytB7jBh7A7PjNuObDMMIVdohKwKMjawkIQHz1j/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\fotk_zh.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (10172), with no line terminators
                                              Category:dropped
                                              Size (bytes):10172
                                              Entropy (8bit):5.999002101128432
                                              Encrypted:false
                                              SSDEEP:192:HQzOr83z8zOvnbYPEe5MXjzo2LvLXuqQGgfPuVC9ZMCNVm:HQTz8zO086M42LvcPuVL+Vm
                                              MD5:03F4D28B17CE89CFE4C288EF7225451F
                                              SHA1:3470AD6103983DAABEE0D8494E891123BCA9804A
                                              SHA-256:7C7509711730827DA1A713398845A2E09ADDE8ECFCA07DB04B47F34EECE52493
                                              SHA-512:50EBDBA872C08D18C54AEBA31C025DE7203C0E1444CDA541857715BB186358C8D8C186F0419EDD9A5C02E03D98D44B95C0EDC4549CF725578CEBD667482A3326
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600007596wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zS9BKRDtypz8MHsvOxXIrTqMHwI3gUHxIekwE6otym/yTbUZP7PlEy8O/bpGxW6LzFxWOK3fYHRItpDgBaA5X1BavY2BO/XOfKySo1Db21+l/X//wtfYGiYOORGAUa1z2gum5ELO3M+r0ktrNKBZRnxxzECsQsuEa/+1aidVgmCcrZOGJOHDz1NMK0yOvHorXbslEp0E8UW2oOSovzMqnXN3MwnohZZA/WgMLkGJRbbRl9Qe/tz3PFPaGTc4c9uJpklCN1n1v3n8ScqDkHNQ72l+NFqoEU0IBA6ZMCFRpB3PcR6VQgER3kQUB75gSOYlRaQOFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQiAOEJyuwk/x+rXId0ne1yihdcSgih/kSGGEPnISAxskTVCkrqpWfdTJRMD+7negc5lQRjAdpaFIUKJ3ZmXmCKwKaC1F6Ypjp3YJgAGYhkGRsTT7f7tmBmM3Ow5R/RSIhdYU4Q0Fy8Di3AuIKcZ+nXYxKRyHT1OkxMuL8xtcwK52LJN6KGI1McXLIYi4k+HzXUiksHytorOvcqNT4YD+NUbcJyyeauJSvGYqPNvlvmswz5oIGDH5KOHUIey+9vGyP/rWqMfxM/i+Z8rZw9WUzh8MvZukWUF/Kvhnlci82eeglydG4MGbsfIubxfArCfQ65LKl1B+H+h5HWyMsIaPrntWQhi4sgM5tYYGqros0o0p0mZFCESgBxPPy/Pe/AorFJAKjzsDfsF/bSeAfJN8lv0KL8JrbukctqROb8gziqsrpXbz1esn4PYRWw3BfHICa87fiHRQZ7q83b6piRBqYzU/1yqG+1ytB7jBh7A7PjNuRrDMMIVdohKwKMjawkIQHxNj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\is-50LB9.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (12752), with no line terminators
                                              Category:dropped
                                              Size (bytes):12752
                                              Entropy (8bit):5.999182781405648
                                              Encrypted:false
                                              SSDEEP:384:b477Sr0GX7TA4Sx6RHk73hrtoueh5Fix0:b477SH/APE2hrto1h5B
                                              MD5:02D3A1C956563BA31087EE811BCF1F41
                                              SHA1:6BDDFE58549C328D810B15B37BF93BCFCAB1A14B
                                              SHA-256:E6DCD083958DB6FB9A3FB75A9ED320638C3CBF97B69AA24AAF68E96FB644F9F1
                                              SHA-512:A385C69D7CFD88F637D3553BEEFA502563E9620FBA1C502DBCB7CF868383F1CF86D6578FCCCE0EF6B5D0E246E1F94313FF6A3AC01B1529AC78DF5F376B76C3E2
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600010176wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zShBKRDtypz8MHsvOxXIrTqaHwI3gUHxIekwE6otym/yebUZP7PlEy8O/bpGxW6LzHxWOK3fYHRItpDgBaA5X1A5vY2BO/XOfKySo1Db21+l93//wtfYGiYOORGAUa1z2ham5ELO3M+r0ktrNKBZRnx/zECsQsuEa/+1aidVgmCcs5OGJOHDz1NMK0yOvHorXYolEp0E8UW2oOSovzMqnXNBMwnohZZA/WgMLkGJRbbRoNQe/tz3PFPaGTc4c9uJplVCN1n1v3n8ScqDkHNQ72mgNFqoEU0IBA6ZMCFRpB3PAx6VQgER3kQUB75gSOYlRcAOFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQjIOEJyuwk/x+rXId0ne1yi9dcSgih/kSGGEPnISAxskRlCkrqpWfdTJRMD+7negc2JQRjAdpaFIUKJ3ZmXmCKw8aC1F6Ypjp3YJgAGYhkGR1TT7f7tmBmM3Ow5R/RSIhb4U4Q0Fy8Di3AuIKcZ+nXY3KRyHT1OkxMuL8xtcwK52RpN6KGI1McXLIYi4k+HzXTWksHytorOvcqNT4YD+NUbvJyyeauJSvGYqPNvlvmsw0ZoIGDH5KOHUIey+9vGyP8vWqMfxM/i+Z8rZw9WUzh8QvZukWUF/Kvhnlci82eegqSdG4MGbsfIubxfArCfQ64TKl1B+H+h5HWyMsIaPrntVQhi4sgM5tYYGqros0o0py2ZFCESgBxPPy/Pe/AorFJoKjzsDfsF/bSeAfJN8lv0aL8JrbukctqROb8gziqsrtHbz1esn4PYRWw3BfHICa6PfiHRQZ7q83b6piRBqYzUh1yqG+1ytB7jBh7A7PjNuK7DMMIVdohKwKMjawkIQHw1j/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\is-B9C47.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (12648), with no line terminators
                                              Category:dropped
                                              Size (bytes):12648
                                              Entropy (8bit):5.997991870273226
                                              Encrypted:false
                                              SSDEEP:384:vH6NHxuYvSxaFjN43mKAIz03TuslDR6mZ/juc:yNRuYvSxaFJRIqTvlDR6mZ/l
                                              MD5:1FF1A88C097A10AF0D2CB463BBB5E4C9
                                              SHA1:D149B1D0BCD84FAD9A4BD143E7837999BC840141
                                              SHA-256:3E077B1A201D71636DD045F7B2694AFEE90881DF97704B012DC947C7429492A7
                                              SHA-512:82AA26F7E0D877A0BEA8D55C57D4D6B98DF283C04360C730E6ED385A589D16438F9BC00B80609B48C33028202661E7343DD4A13A53AE31B6C9A4D8C2E63D1023
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600010072wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zRFBKRDtypz8MHsvOxXIrTq4HwI3gUHxIekwE6otym/yYLUZP7PlEy8O/bpGxW6LzHdWOK3fYHRItpDgBaA5X1AxvY2BO/XOfKySo1Db21+l9H//wtfYGiYOORGAUa1z2iOm5ELO3M+r0ktrNKBZRnxOzECsQsuEa/+1aidVgmCcr5OGJOHDz1NMK0yOvHorXY0lEp0E8UW2oOSovzMqnXNMMwnohZZA/WgMLkGJRbbRp9Qe/tz3PFPaGTc4c9uJpl1CN1n1v3n8ScqDkHNQ72m3NFqoEU0IBA6ZMCFRpB3PAx6VQgER3kQUB75gSOYlRe8OFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQjkOEJyuwk/x+rXId0ne1yi+dcSgih/kSGGEPnISAxskQFCkrqpWfdTJRMD+7negc2tQRjAdpaFIUKJ3ZmXmCKxTaC1F6Ypjp3YJgAGYhkGRrDT7f7tmBmM3Ow5R/RSIhc8U4Q0Fy8Di3AuIKcZ+nXYkKRyHT1OkxMuL8xtcwK52NpN6KGI1McXLIYi4k+HzXQmksHytorOvcqNT4YD+NUbyJyyeauJSvGYqPNvlvmsw05oIGDH5KOHUIey+9vGyP9DWqMfxM/i+Z8rZw9WUzh9qvZukWUF/Kvhnlci82eegqCdG4MGbsfIubxfArCfQ65jKl1B+H+h5HWyMsIaPrntbQhi4sgM5tYYGqros0o0pzGZFCESgBxPPy/Pe/AorFJsKjzsDfsF/bSeAfJN8lv0SL8JrbukctqROb8gziqsrvHbz1esn4PYRWw3BfHICa8/fiHRQZ7q83b6piRBqYzU91yqG+1ytB7jBh7A7PjNuR7DMMIVdohKwKMjawkIQHxFj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\is-BQIFQ.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (15400), with no line terminators
                                              Category:dropped
                                              Size (bytes):15400
                                              Entropy (8bit):5.998963228052221
                                              Encrypted:false
                                              SSDEEP:192:sT4SmJg9IPU7nKZ7FknvIyD4s892kYOPM/vUm7Z1pTD/fOa8n9td6XBgD9IEbHxO:+4SuPUmXknvb04kXoMmjpH/GtnOBShK
                                              MD5:7DD5A9A2ED2E595E660EAB7B06449720
                                              SHA1:992CAD591FB818A66DFEC96CC32B5B94739692FF
                                              SHA-256:168ED420AB4AC7C5468362EE5804A1EE1BC2304B3A61884ADF1D9E764E66F889
                                              SHA-512:2C335278E6E67FD26AF6DCFC50417CB70EA35BDB4ABA5185F023AEC6BA1948F096677B4A6DA3539B746CC79378F6DAB82F386995CD56F3BD9F977815B11FE699
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600012824wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zQFBKRDtypz8MHsvOxXIrTrvHwI3gUHxIekwE6otym/yHbUZP7PlEy8O/bpGxW6LzHtWOK3fYHRItpDgBaA5X1AXvY2BO/XOfKySo1Db21+lg3//wtfYGiYOORGAUa1z2iam5ELO3M+r0ktrNKBZRnxIzECsQsuEa/+1aidVgmCc0ZOGJOHDz1NMK0yOvHorXY0lEp0E8UW2oOSovzMqnXNGMwnohZZA/WgMLkGJRbbRrtQe/tz3PFPaGTc4c9uJpm1CN1n1v3n8ScqDkHNQ72mzNFqoEU0IBA6ZMCFRpB3PEx6VQgER3kQUB75gSOYlReMOFEygpaacvJBa+SPwRA0aZu9N3WqHCJ5vks/lgCGrn/fiTI/mokBWgEres7DjQh4OEJyuwk/x+rXId0ne1yihdcSgih/kSGGEPnISAxskQlCkrqpWfdTJRMD+7negcyFQRjAdpaFIUKJ3ZmXmCKwtaC1F6Ypjp3YJgAGYhkGRoDT7f7tmBmM3Ow5R/RSIhbAU4Q0Fy8Di3AuIKcZ+nXZwKRyHT1OkxMuL8xtcwK52OZN6KGI1McXLIYi4k+HzXfOksHytorOvcqNT4YD+NUaPJyyeauJSvGYqPNvlvmswnZoIGDH5KOHUIey+9vGyP9vWqMfxM/i+Z8rZw9WUzh92vZukWUF/Kvhnlci82eegvydG4MGbsfIubxfArCfQ6+XKl1B+H+h5HWyMsIaPrnszQhi4sgM5tYYGqros0o0pr2ZFCESgBxPPy/Pe/AorFOQKjzsDfsF/bSeAfJN8lv1rL8JrbukctqROb8gziqsr73bz1esn4PYRWw3BfHICa7HfiHRQZ7q83b6piRBqYzUR1yqG+1ytB7jBh7A7PjNuObDMMIVdohKwKMjawkIQHz1j/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\L10n\is-H0NCM.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (10172), with no line terminators
                                              Category:dropped
                                              Size (bytes):10172
                                              Entropy (8bit):5.999002101128432
                                              Encrypted:false
                                              SSDEEP:192:HQzOr83z8zOvnbYPEe5MXjzo2LvLXuqQGgfPuVC9ZMCNVm:HQTz8zO086M42LvcPuVL+Vm
                                              MD5:03F4D28B17CE89CFE4C288EF7225451F
                                              SHA1:3470AD6103983DAABEE0D8494E891123BCA9804A
                                              SHA-256:7C7509711730827DA1A713398845A2E09ADDE8ECFCA07DB04B47F34EECE52493
                                              SHA-512:50EBDBA872C08D18C54AEBA31C025DE7203C0E1444CDA541857715BB186358C8D8C186F0419EDD9A5C02E03D98D44B95C0EDC4549CF725578CEBD667482A3326
                                              Malicious:false
                                              Preview:lcd&00010000000000440000249600007596wfNamiz0xzddKQHtypz8XHsvOxPIrTqsHwI3kUHxIZw=wfNamzz0zS9BKRDtypz8MHsvOxXIrTqMHwI3gUHxIekwE6otym/yTbUZP7PlEy8O/bpGxW6LzFxWOK3fYHRItpDgBaA5X1BavY2BO/XOfKySo1Db21+l/X//wtfYGiYOORGAUa1z2gum5ELO3M+r0ktrNKBZRnxxzECsQsuEa/+1aidVgmCcrZOGJOHDz1NMK0yOvHorXbslEp0E8UW2oOSovzMqnXN3MwnohZZA/WgMLkGJRbbRl9Qe/tz3PFPaGTc4c9uJpklCN1n1v3n8ScqDkHNQ72l+NFqoEU0IBA6ZMCFRpB3PcR6VQgER3kQUB75gSOYlRaQOFEygpaacvJBa+SPwRA0PZu9N3WqHCJ5vks/lgCGrivfiTI/mokBWgEres7DjQiAOEJyuwk/x+rXId0ne1yihdcSgih/kSGGEPnISAxskTVCkrqpWfdTJRMD+7negc5lQRjAdpaFIUKJ3ZmXmCKwKaC1F6Ypjp3YJgAGYhkGRsTT7f7tmBmM3Ow5R/RSIhdYU4Q0Fy8Di3AuIKcZ+nXYxKRyHT1OkxMuL8xtcwK52LJN6KGI1McXLIYi4k+HzXUiksHytorOvcqNT4YD+NUbcJyyeauJSvGYqPNvlvmswz5oIGDH5KOHUIey+9vGyP/rWqMfxM/i+Z8rZw9WUzh8MvZukWUF/Kvhnlci82eeglydG4MGbsfIubxfArCfQ65LKl1B+H+h5HWyMsIaPrntWQhi4sgM5tYYGqros0o0p0mZFCESgBxPPy/Pe/AorFJAKjzsDfsF/bSeAfJN8lv0KL8JrbukctqROb8gziqsrpXbz1esn4PYRWw3BfHICa87fiHRQZ7q83b6piRBqYzU/1yqG+1ytB7jBh7A7PjNuRrDMMIVdohKwKMjawkIQHxNj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkBus.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (7568), with no line terminators
                                              Category:dropped
                                              Size (bytes):7568
                                              Entropy (8bit):5.994994247200588
                                              Encrypted:false
                                              SSDEEP:192:by7MRsGZtKD5PXgQn2aZgqi3ycNBiEd5vtgZ86VVV0Kq:uIRsgg5P12aiqI5v63GKq
                                              MD5:8C21D08BA2B447A7C85FA5575A3E57EE
                                              SHA1:A07E68F1613AD29A8274A07B6EC03B6266C06F15
                                              SHA-256:BB6DFD0A1F9FA1658FA75BDC117F601398D9D132453EE7A7D1B858AED29E42F9
                                              SHA-512:0AB5767C4EE3D0CFBA28174C8A3FB6BB9326E1BF66554AEFD4549C41FA096DEEFE76A6150DA3C577E6C99B40EFD3151C0A96D6460F3DD266F5928156D58CF56A
                                              Malicious:false
                                              Preview:lcd&00010000000000440000748800000000wfNamjzkzT1BNRD8ypz8XHsvOxLIrTqsHwI36UHxId8=wfNamzz0zTYLRniD6tiTVXsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3jLSxC9j+TIGikgTu62WV+0XP8o3YGiYOORGAV61z2kWm5Dev3M+r00trNKdZRnwrzECsQsuEa/+1aiddgmCcgJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/Wg+HnC0aIboouUpqu3BBmbuIwcIJduJpg1CN1n1v3n8ScqD5RdQ72kHNFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ5vks/0gCGrjMXSfbnLk3B7snKKkIbZcVk0IKz0wk/x+rXId1re1yiwdcTVFh/kSGCEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3CT5g0zm4vN8l1lk0/frX6DG4GYV+nXYaKRyHT1OkxMuL826DwK52AJN6KGI1McXLIYi4iOHzXWWksHytorOvcqNT4Zz+NUbHJyyeauJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TkmPbHHsiHSvvul/ui9CoVh6uUA0F/Kvhnlcic2eegiSdGlTibsfIvbxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPy/Pe2AorFKMKjzsDfsF/bRWwTYBRpsQNHvU/X98mg5B0X/hPiqsrj3bz1esn4PYRWw20oXICa+HfiHRQZ7q83b6piThqYzV41yqG+1ytB7jBh7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkCnfs.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):80
                                              Entropy (8bit):4.142037796599528
                                              Encrypted:false
                                              SSDEEP:3:5VvXjyoyRd2tUquhItSjt/n:5k7KUquhItSt/n
                                              MD5:CA943A39A4F5DD13E54089690FEC080A
                                              SHA1:0DC95BE92BF165A841D1881BC2A14212C31F4792
                                              SHA-256:FDF6D2CBF65EDCF9E84B66D484BA0FD18FAD427E3EB1BF332C94CADDF1D7EC63
                                              SHA-512:EE0051B72252A61399E53288CD23EEE59CA4A7139E941A07B750281CFCB77BFD143453BF86F54C03CAD39CABECA7CEC2C5E4D1DC1B8A41E16FB174FA131966FE
                                              Malicious:false
                                              Preview:lcd&00010000000000440000000000000000wfNamjzkzT1BNRD8ypz8XHsvOxzIrTqtHwI3gUHxIek=

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkDrs.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (7248), with no line terminators
                                              Category:dropped
                                              Size (bytes):7248
                                              Entropy (8bit):5.997073501805218
                                              Encrypted:false
                                              SSDEEP:192:bfzTsUutE1urhpa053dRffUnm309gNCSBgEYpKn2qV/2:bfzTsVEwrTV3zHIUYJpjz
                                              MD5:30FE73410C791D4BF1D7A1FDCEA9E54A
                                              SHA1:ED3EB0A5F503D1B7F84D19592249E0E7409E31EB
                                              SHA-256:366C3AA0A8F734B055D685D1B4783C95B2E1830B7F25319B3577FFA3E66AA2B5
                                              SHA-512:DD76385E04704077E0972DB4BB58629538884A316F8B8EC5C75B7597B66D80A5C20C243A6BA70F67F4492C95BB86D04053E8F7D7DFD8CFF5BC803B286C52FF2D
                                              Malicious:false
                                              Preview:lcd&00010000000000440000716800000000wfNamjzkzT1BNRD8ypz8XHsvOxbIrTqsHwI3AUHxIcM=kbcczG69mWVBKRDtypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//lLmEWxmCcgJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaSXN+NJ+Jpg1CN1n1v3n8ScqDkH5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvNEetnG1FF49Zu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGGEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3ekoep1HY1scU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHytorOvcuIXqM+qAUbHJyyeauJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/Kvg3xovOkLf0vCdG4MGbsfIubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPireXi14eFKMKjzsDfsF/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83e76ymojM2FN1yqG+1ytB7jBh7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkLngs.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (720), with no line terminators
                                              Category:dropped
                                              Size (bytes):720
                                              Entropy (8bit):5.900569033555435
                                              Encrypted:false
                                              SSDEEP:12:4IHoMwA+gmo1buxC1iXXTpNsoUSFLuQPC+ZkGVg0J3DAiWNOcoJAAijBuDotI:/HoMwAyoMCkXXlWo1LE+2GK0Jal6
                                              MD5:55D02DA6997B22D40AC0BBD083D0D79E
                                              SHA1:5802069EBC18E6B83EF9974E1E88A5DC9AEF3F16
                                              SHA-256:323CA3057BBCD45288E40132953CD66B7F2AA1A403FA3D336F7E395FB51F94C3
                                              SHA-512:4B78F7B57FD666ADA151CFEF2ABAB34A09B5270BE7F7651AEF0AAA1263512C8B35DCB09B70481F010D10417F9D71D13B86A6A51DC77C0FDCA6D50BC5561D69A5
                                              Malicious:false
                                              Preview:lcd&00010000000000440000064000000000wfNamjzkzT1BNRD8ypz8XHsvOxPIrTqsHwI3+UHxIe0=pZZamzz0zTdBKRDtypz8MB1AT3+XyV+tHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKySo1Dc6W+U/1LP9frqI3I/DCuxZZdD6h+m5ELO3M+r0ktrNKdZRnwrqjKsQsuEa/+1aiddgmCcgPXpUIqcqSFMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaGTc4f9uJpg1CN1n3jUnNfeezp1Ni1j01BmCaIXc4NFSZMCFfpB3PSh6VQgER3kQUfdZgR+YlRZgOFEygpaacvPY1jVivPmUJZu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGGEPnIEMSsVYX2UlodmS4D4cvrOy02QQ6VQRjAdpaFIUKJ3ZnPmCKwRAkxF6Ypjp3YJgAGPhkGRllKUC9A5bAI3Ow5R5RSIhfIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHyvkIOeRI5j2LHOAxL2ERavWdhijDwqPNv4vmsw6JoIGDH5KOHU

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkLsts.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (1104), with no line terminators
                                              Category:dropped
                                              Size (bytes):1104
                                              Entropy (8bit):5.9577061260906765
                                              Encrypted:false
                                              SSDEEP:24:q7VsiyT/NCkWaPIHxby827qIlU7gXcwl9ji5JMvX:uwjNFIRmPVU8qO/
                                              MD5:DE68D51F9BFED85374972FC4B778C7FE
                                              SHA1:70CF0EB0A85E503F56D91404E3C25D140FA462F4
                                              SHA-256:3115D9807B7F4558FA79D09F3DDEBCFD41AF2FA4761B006F108F9817165F0665
                                              SHA-512:37FE62C56CDC889B321C650D87554715113710E081BAE7B35F7C8D52DEF73A7C3E28FDDACD3BBF48270BCBFAEA27DFDA49E0D5E6DEC1A9EF9E8A1B88085EF53A
                                              Malicious:false
                                              Preview:lcd&00010000000000440000102400000000wfNamjzkzT1BNRD8ypz8XHsvOxXIrTqsHwI34UHxIeE=wfNamnCHuURBKRDthvWPRAgvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7ODfFtlsckytW6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfK2VR1Da20mlyn//wjnYGiYOORGAUOEdvTam5ELOkK7FtT4KU8IqRnwrzECsQsuEa/+1aiddgmCcgJOGJOGloCcnZyLpxnorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WkLzkGLRbvRkdQe/gv3PFPaGTc4d5jnwH5CN1n1/BaSL6Pk5QwxmwBrWimoEU0IBA6ZMCFfpB3PSh6VQgF3sTB/RNAGNOYlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ9oTM/9gCirhvfiTF3mokBWgEreo+CHMAMOEJyukj2YlMGtBR6svl7VB7egih/kSGGEPnIGAxskVVCkrqowEqCiALKN+3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3cOZAGLhleRljT7f2dmBmM3Ow5R5kT46oAU4Q0Fm7KLsn/tW48R7wJpKRyHT1OkxMuL8xtGwK52AZN6KGJTXrGgcfrLiOHzXWWksHytorOvcqNT4Zz+NUbHJyyeauJSvGct3NvzvmAw75oIGOv5KOHUIey+7KPWU4jWqMfxYZ3UAqmtpq7QonNSvZukWUF/Kvhnlcic2eegiSdG4MH93oZFPXOzjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYcBdLoD0oAp62ZFCI+gBxPPy/Pe3UREfc0KjzsDMK42A03lH8IV+ZNTL8JrbukctqROb8gViqsrj3bz1etBj4J6FWSyW3ICa+DfiHRQZ7q83b6piThqYzV41yqG+1ytB7nGWbAUPjFuerDMMFZdohKwKMja7gBlbCZj/E9kgFfUTywf

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkNis.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (2640), with no line terminators
                                              Category:dropped
                                              Size (bytes):2640
                                              Entropy (8bit):5.987942858685715
                                              Encrypted:false
                                              SSDEEP:48:jDSdbGs0gEvopAOW+ChoamiiaAlptDCHdWdy5jqbx3saHOHz8:Sd10PAXnCuamiivAHkdaqb298
                                              MD5:7F9D763543F94CA15B7158ADA872C7E4
                                              SHA1:9661F3C85A6E583EB455E50488530D40B5FD6C56
                                              SHA-256:6E3C654DA94BF2DAB61704FA4787747DA578DF0EA8A7B808A7943E1D506FB373
                                              SHA-512:0F2ACD1B623362B15C1D634B6E18E14452EAE3BA6F984EEEF2496094EBB258B62EDA2CE607FC99F571EEF54E92507650BB83BA2EBBEAAC223D2346D343DEA871
                                              Malicious:false
                                              Preview:lcd&00010000000000440000256000000000wfNamjzkzT1BNRD8ypz8XHsvOxHIrTqsHwI3AUHxIeY=hIsq91OGqEVBKRDtypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItvWYdchWLTUFk+j5XvXOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//6H1Mx7Q/3gJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPadkJME7TmzSMnTzz1v3n8ScqDkH5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvNE5i1ySJXkpNIosuQ/1CJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGHFXQBpUX8XZ37B1s9WfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3em0jinbp8fIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHytorOvcuIwk/OcVDLpQlT7auJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/Kvgm9rrzu4bUqWU0j6r+w/IubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPqpCst2hZe8hv/RVmBqR/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83f/K+1cIAkFYlln1ki/ZZta1h7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkPrs.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (2960), with no line terminators
                                              Category:dropped
                                              Size (bytes):2960
                                              Entropy (8bit):5.986739218510661
                                              Encrypted:false
                                              SSDEEP:48:3jiESWGhYjEvKaAZ/m7g5Tk0oqmiia4k7qYebCuFbx3JnFpOHdxK/xB:3WYQyPukGNqmii27qYsFbAK/xB
                                              MD5:DD46349E256F66DA49E6ED04DAD039DE
                                              SHA1:32929544444286C63FA674F56BD19171EB851AAB
                                              SHA-256:D658B0AA15C2E36AD2C4C08BCED8693E525387822A1604DAA26D81BBFB6DF6B1
                                              SHA-512:29E9BDCBE21D95DF93FABAF280B90C7FF860B64D692F2492ED642479C0306118F2032EDB6E7FA216687EFB963E71C4F691BAA301060BAE838916047B2AE782EF
                                              Malicious:false
                                              Preview:lcd&00010000000000440000288000000000wfNamjzkzT1BNRD8ypz8XHsvOxfIrTqsHwI3yUHxIfc=wfNamzz0zTIHYFyo8Jz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKje5hGajxDqhyz/wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa/+1aiddgmCcgJOGJOHDz1NMK0yOtXorXaNjQs8x8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaGTc4f9uJpg1CN1n1v3n8ScqDkH5Q72kENFqoEU0IBAjOeW8Z5UXPSh6VQgER3kQUB75gR+YlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQm1Kde/FtiCB+rXId1re1yiwdcSgih/kSGGEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3BazkDIzxWRljT7f7tmBmM3Ow5R5RSIhfIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXW/i/D3+6uPuIuYB08ysfAiTYn7OJbAGvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/KvM30Y6xgaTI6EkhhcGbsfIubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPy/Pe2AorFKBfy3gDfsF/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83b6piThqYzV41yqG+1ytB72H1+AhBDNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\fotkRds.lcd (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (424), with no line terminators
                                              Category:dropped
                                              Size (bytes):424
                                              Entropy (8bit):5.806054763135282
                                              Encrypted:false
                                              SSDEEP:6:5uRL07KUqCkuYOH6jZPTxDtoIbL6zn9qjAWQbiyT8/KjXPlvNsKOioDUX0bOWxTh:wWIdo6lPTvnFTx/KTpNsoR0yWx5LT
                                              MD5:BABA88923DACAC1B9FFCCD1CAA783903
                                              SHA1:BD9C1D4176B709671310EB31C197E54311DF2E09
                                              SHA-256:06793859377ADE0F42F713178559A3189B9118884CC9D783E98C36820BEAB899
                                              SHA-512:C834660D40616847458D21287692BB809101653EE8A29EB24AAC7D7AC6D9967BD78866081216848E073D50ED2E30EF4219CC13BB494A5F6C0201B27CEA5D0ED8
                                              Malicious:false
                                              Preview:lcd&00010000000000440000034400000000wfNamjzkzT1BNRD8ypz8XHsvOxDIrTqsHwI3AUHxIes=kbccyFKVplJvaECkypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItsCkQ/dXPjsSvY2BO/XOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//EAxVz4xD1gJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaSH5sOoTY02Q2UhCYzxaPIKTkon5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvA==

                                              C:\ProgramData\FileOpen\Updates\Lists\is-9F2R0.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (1104), with no line terminators
                                              Category:dropped
                                              Size (bytes):1104
                                              Entropy (8bit):5.9577061260906765
                                              Encrypted:false
                                              SSDEEP:24:q7VsiyT/NCkWaPIHxby827qIlU7gXcwl9ji5JMvX:uwjNFIRmPVU8qO/
                                              MD5:DE68D51F9BFED85374972FC4B778C7FE
                                              SHA1:70CF0EB0A85E503F56D91404E3C25D140FA462F4
                                              SHA-256:3115D9807B7F4558FA79D09F3DDEBCFD41AF2FA4761B006F108F9817165F0665
                                              SHA-512:37FE62C56CDC889B321C650D87554715113710E081BAE7B35F7C8D52DEF73A7C3E28FDDACD3BBF48270BCBFAEA27DFDA49E0D5E6DEC1A9EF9E8A1B88085EF53A
                                              Malicious:false
                                              Preview:lcd&00010000000000440000102400000000wfNamjzkzT1BNRD8ypz8XHsvOxXIrTqsHwI34UHxIeE=wfNamnCHuURBKRDthvWPRAgvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7ODfFtlsckytW6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfK2VR1Da20mlyn//wjnYGiYOORGAUOEdvTam5ELOkK7FtT4KU8IqRnwrzECsQsuEa/+1aiddgmCcgJOGJOGloCcnZyLpxnorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WkLzkGLRbvRkdQe/gv3PFPaGTc4d5jnwH5CN1n1/BaSL6Pk5QwxmwBrWimoEU0IBA6ZMCFfpB3PSh6VQgF3sTB/RNAGNOYlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ9oTM/9gCirhvfiTF3mokBWgEreo+CHMAMOEJyukj2YlMGtBR6svl7VB7egih/kSGGEPnIGAxskVVCkrqowEqCiALKN+3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3cOZAGLhleRljT7f2dmBmM3Ow5R5kT46oAU4Q0Fm7KLsn/tW48R7wJpKRyHT1OkxMuL8xtGwK52AZN6KGJTXrGgcfrLiOHzXWWksHytorOvcqNT4Zz+NUbHJyyeauJSvGct3NvzvmAw75oIGOv5KOHUIey+7KPWU4jWqMfxYZ3UAqmtpq7QonNSvZukWUF/Kvhnlcic2eegiSdG4MH93oZFPXOzjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYcBdLoD0oAp62ZFCI+gBxPPy/Pe3UREfc0KjzsDMK42A03lH8IV+ZNTL8JrbukctqROb8gViqsrj3bz1etBj4J6FWSyW3ICa+DfiHRQZ7q83b6piThqYzV41yqG+1ytB7nGWbAUPjFuerDMMFZdohKwKMja7gBlbCZj/E9kgFfUTywf

                                              C:\ProgramData\FileOpen\Updates\Lists\is-CKRT4.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (424), with no line terminators
                                              Category:dropped
                                              Size (bytes):424
                                              Entropy (8bit):5.806054763135282
                                              Encrypted:false
                                              SSDEEP:6:5uRL07KUqCkuYOH6jZPTxDtoIbL6zn9qjAWQbiyT8/KjXPlvNsKOioDUX0bOWxTh:wWIdo6lPTvnFTx/KTpNsoR0yWx5LT
                                              MD5:BABA88923DACAC1B9FFCCD1CAA783903
                                              SHA1:BD9C1D4176B709671310EB31C197E54311DF2E09
                                              SHA-256:06793859377ADE0F42F713178559A3189B9118884CC9D783E98C36820BEAB899
                                              SHA-512:C834660D40616847458D21287692BB809101653EE8A29EB24AAC7D7AC6D9967BD78866081216848E073D50ED2E30EF4219CC13BB494A5F6C0201B27CEA5D0ED8
                                              Malicious:false
                                              Preview:lcd&00010000000000440000034400000000wfNamjzkzT1BNRD8ypz8XHsvOxDIrTqsHwI3AUHxIes=kbccyFKVplJvaECkypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItsCkQ/dXPjsSvY2BO/XOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//EAxVz4xD1gJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaSH5sOoTY02Q2UhCYzxaPIKTkon5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvA==

                                              C:\ProgramData\FileOpen\Updates\Lists\is-DNLJ4.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (2640), with no line terminators
                                              Category:dropped
                                              Size (bytes):2640
                                              Entropy (8bit):5.987942858685715
                                              Encrypted:false
                                              SSDEEP:48:jDSdbGs0gEvopAOW+ChoamiiaAlptDCHdWdy5jqbx3saHOHz8:Sd10PAXnCuamiivAHkdaqb298
                                              MD5:7F9D763543F94CA15B7158ADA872C7E4
                                              SHA1:9661F3C85A6E583EB455E50488530D40B5FD6C56
                                              SHA-256:6E3C654DA94BF2DAB61704FA4787747DA578DF0EA8A7B808A7943E1D506FB373
                                              SHA-512:0F2ACD1B623362B15C1D634B6E18E14452EAE3BA6F984EEEF2496094EBB258B62EDA2CE607FC99F571EEF54E92507650BB83BA2EBBEAAC223D2346D343DEA871
                                              Malicious:false
                                              Preview:lcd&00010000000000440000256000000000wfNamjzkzT1BNRD8ypz8XHsvOxHIrTqsHwI3AUHxIeY=hIsq91OGqEVBKRDtypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItvWYdchWLTUFk+j5XvXOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//6H1Mx7Q/3gJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPadkJME7TmzSMnTzz1v3n8ScqDkH5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvNE5i1ySJXkpNIosuQ/1CJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGHFXQBpUX8XZ37B1s9WfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3em0jinbp8fIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHytorOvcuIwk/OcVDLpQlT7auJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/Kvgm9rrzu4bUqWU0j6r+w/IubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPqpCst2hZe8hv/RVmBqR/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83f/K+1cIAkFYlln1ki/ZZta1h7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\is-KNQ1D.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (720), with no line terminators
                                              Category:dropped
                                              Size (bytes):720
                                              Entropy (8bit):5.900569033555435
                                              Encrypted:false
                                              SSDEEP:12:4IHoMwA+gmo1buxC1iXXTpNsoUSFLuQPC+ZkGVg0J3DAiWNOcoJAAijBuDotI:/HoMwAyoMCkXXlWo1LE+2GK0Jal6
                                              MD5:55D02DA6997B22D40AC0BBD083D0D79E
                                              SHA1:5802069EBC18E6B83EF9974E1E88A5DC9AEF3F16
                                              SHA-256:323CA3057BBCD45288E40132953CD66B7F2AA1A403FA3D336F7E395FB51F94C3
                                              SHA-512:4B78F7B57FD666ADA151CFEF2ABAB34A09B5270BE7F7651AEF0AAA1263512C8B35DCB09B70481F010D10417F9D71D13B86A6A51DC77C0FDCA6D50BC5561D69A5
                                              Malicious:false
                                              Preview:lcd&00010000000000440000064000000000wfNamjzkzT1BNRD8ypz8XHsvOxPIrTqsHwI3+UHxIe0=pZZamzz0zTdBKRDtypz8MB1AT3+XyV+tHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKySo1Dc6W+U/1LP9frqI3I/DCuxZZdD6h+m5ELO3M+r0ktrNKdZRnwrqjKsQsuEa/+1aiddgmCcgPXpUIqcqSFMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaGTc4f9uJpg1CN1n3jUnNfeezp1Ni1j01BmCaIXc4NFSZMCFfpB3PSh6VQgER3kQUfdZgR+YlRZgOFEygpaacvPY1jVivPmUJZu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGGEPnIEMSsVYX2UlodmS4D4cvrOy02QQ6VQRjAdpaFIUKJ3ZnPmCKwRAkxF6Ypjp3YJgAGPhkGRllKUC9A5bAI3Ow5R5RSIhfIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHyvkIOeRI5j2LHOAxL2ERavWdhijDwqPNv4vmsw6JoIGDH5KOHU

                                              C:\ProgramData\FileOpen\Updates\Lists\is-L7T53.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (2960), with no line terminators
                                              Category:dropped
                                              Size (bytes):2960
                                              Entropy (8bit):5.986739218510661
                                              Encrypted:false
                                              SSDEEP:48:3jiESWGhYjEvKaAZ/m7g5Tk0oqmiia4k7qYebCuFbx3JnFpOHdxK/xB:3WYQyPukGNqmii27qYsFbAK/xB
                                              MD5:DD46349E256F66DA49E6ED04DAD039DE
                                              SHA1:32929544444286C63FA674F56BD19171EB851AAB
                                              SHA-256:D658B0AA15C2E36AD2C4C08BCED8693E525387822A1604DAA26D81BBFB6DF6B1
                                              SHA-512:29E9BDCBE21D95DF93FABAF280B90C7FF860B64D692F2492ED642479C0306118F2032EDB6E7FA216687EFB963E71C4F691BAA301060BAE838916047B2AE782EF
                                              Malicious:false
                                              Preview:lcd&00010000000000440000288000000000wfNamjzkzT1BNRD8ypz8XHsvOxfIrTqsHwI3yUHxIfc=wfNamzz0zTIHYFyo8Jz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKje5hGajxDqhyz/wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa/+1aiddgmCcgJOGJOHDz1NMK0yOtXorXaNjQs8x8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaGTc4f9uJpg1CN1n1v3n8ScqDkH5Q72kENFqoEU0IBAjOeW8Z5UXPSh6VQgER3kQUB75gR+YlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQm1Kde/FtiCB+rXId1re1yiwdcSgih/kSGGEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3BazkDIzxWRljT7f7tmBmM3Ow5R5RSIhfIU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXW/i/D3+6uPuIuYB08ysfAiTYn7OJbAGvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/KvM30Y6xgaTI6EkhhcGbsfIubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPy/Pe2AorFKBfy3gDfsF/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83b6piThqYzV41yqG+1ytB72H1+AhBDNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\is-O4NSE.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (7568), with no line terminators
                                              Category:dropped
                                              Size (bytes):7568
                                              Entropy (8bit):5.994994247200588
                                              Encrypted:false
                                              SSDEEP:192:by7MRsGZtKD5PXgQn2aZgqi3ycNBiEd5vtgZ86VVV0Kq:uIRsgg5P12aiqI5v63GKq
                                              MD5:8C21D08BA2B447A7C85FA5575A3E57EE
                                              SHA1:A07E68F1613AD29A8274A07B6EC03B6266C06F15
                                              SHA-256:BB6DFD0A1F9FA1658FA75BDC117F601398D9D132453EE7A7D1B858AED29E42F9
                                              SHA-512:0AB5767C4EE3D0CFBA28174C8A3FB6BB9326E1BF66554AEFD4549C41FA096DEEFE76A6150DA3C577E6C99B40EFD3151C0A96D6460F3DD266F5928156D58CF56A
                                              Malicious:false
                                              Preview:lcd&00010000000000440000748800000000wfNamjzkzT1BNRD8ypz8XHsvOxLIrTqsHwI36UHxId8=wfNamzz0zTYLRniD6tiTVXsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3jLSxC9j+TIGikgTu62WV+0XP8o3YGiYOORGAV61z2kWm5Dev3M+r00trNKdZRnwrzECsQsuEa/+1aiddgmCcgJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/Wg+HnC0aIboouUpqu3BBmbuIwcIJduJpg1CN1n1v3n8ScqD5RdQ72kHNFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvJBa+TPwRA0JZu9N3WqHCJ5vks/0gCGrjMXSfbnLk3B7snKKkIbZcVk0IKz0wk/x+rXId1re1yiwdcTVFh/kSGCEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3CT5g0zm4vN8l1lk0/frX6DG4GYV+nXYaKRyHT1OkxMuL826DwK52AJN6KGI1McXLIYi4iOHzXWWksHytorOvcqNT4Zz+NUbHJyyeauJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TkmPbHHsiHSvvul/ui9CoVh6uUA0F/Kvhnlcic2eegiSdGlTibsfIvbxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPy/Pe2AorFKMKjzsDfsF/bRWwTYBRpsQNHvU/X98mg5B0X/hPiqsrj3bz1esn4PYRWw20oXICa+HfiHRQZ7q83b6piThqYzV41yqG+1ytB7jBh7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\ProgramData\FileOpen\Updates\Lists\is-OQA7C.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):80
                                              Entropy (8bit):4.142037796599528
                                              Encrypted:false
                                              SSDEEP:3:5VvXjyoyRd2tUquhItSjt/n:5k7KUquhItSt/n
                                              MD5:CA943A39A4F5DD13E54089690FEC080A
                                              SHA1:0DC95BE92BF165A841D1881BC2A14212C31F4792
                                              SHA-256:FDF6D2CBF65EDCF9E84B66D484BA0FD18FAD427E3EB1BF332C94CADDF1D7EC63
                                              SHA-512:EE0051B72252A61399E53288CD23EEE59CA4A7139E941A07B750281CFCB77BFD143453BF86F54C03CAD39CABECA7CEC2C5E4D1DC1B8A41E16FB174FA131966FE
                                              Malicious:false
                                              Preview:lcd&00010000000000440000000000000000wfNamjzkzT1BNRD8ypz8XHsvOxzIrTqtHwI3gUHxIek=

                                              C:\ProgramData\FileOpen\Updates\Lists\is-THTBB.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:ASCII text, with very long lines (7248), with no line terminators
                                              Category:dropped
                                              Size (bytes):7248
                                              Entropy (8bit):5.997073501805218
                                              Encrypted:false
                                              SSDEEP:192:bfzTsUutE1urhpa053dRffUnm309gNCSBgEYpKn2qV/2:bfzTsVEwrTV3zHIUYJpjz
                                              MD5:30FE73410C791D4BF1D7A1FDCEA9E54A
                                              SHA1:ED3EB0A5F503D1B7F84D19592249E0E7409E31EB
                                              SHA-256:366C3AA0A8F734B055D685D1B4783C95B2E1830B7F25319B3577FFA3E66AA2B5
                                              SHA-512:DD76385E04704077E0972DB4BB58629538884A316F8B8EC5C75B7597B66D80A5C20C243A6BA70F67F4492C95BB86D04053E8F7D7DFD8CFF5BC803B286C52FF2D
                                              Malicious:false
                                              Preview:lcd&00010000000000440000716800000000wfNamjzkzT1BNRD8ypz8XHsvOxbIrTqsHwI3AUHxIcM=kbcczG69mWVBKRDtypz8MHsvOxTIrTqtHwI3gUHxIekwE6ovym/yVrUZP7PlEy8O/bpGxm6LzApWOK3fYHRItpDgBaQ5X1B3vY2BO/XOfKySo1De21+ly3//wtfYGiYOORGAV61z2kWm5ELO3M+r0ktrNKdZRnwrzECsQsuEa//lLmEWxmCcgJOGJOHDz1NMK0yOtXorXaAlEp0E8UW2oOSovzkqnXNsMwnohZZA/WgMLkGCRbbRj9Qe/tz3PFPaSXN+NJ+Jpg1CN1n1v3n8ScqDkH5Q72kENFqoEU0IBA6ZMCFfpB3PSh6VQgER3kQUB75gR+YlRZgOFEygpaacvNEetnG1FF49Zu9N3WqHCJ5vks/0gCGrjPfiTI/mokBWgEreobDjQmoOEJyuwk/x+rXId1re1yiwdcSgih/kSGGEPnIGAxskVVCkrqpWfdTJRMD++3egc/9QRjAdpaFIUKJ3ZnPmCKwRaC1F6Ypjp3YJgAGPhkGRljT7f7tmBmM3ekoep1HY1scU4Q0Fy8Di3AuIKd9+nXYaKRyHT1OkxMuL8xtGwK52AZN6KGI1McXLIYi4iOHzXWWksHytorOvcuIXqM+qAUbHJyyeauJSvGYqPNv4vmsw6JoIGDH5KOHUIey+6PGyP+TWqMfxM/i+Z8rZw8qUzh8hvZukWUF/Kvg3xovOkLf0vCdG4MGbsfIubxfAjSfQ67XKl1B+H+h5HWyMsKSPrntxQhi4sgM5tYYGqroP0o0p+GZFCESgBxPPireXi14eFKMKjzsDfsF/bSeAfLZ8lv0gL8JrbukctqROb8gViqsrj3bz1esn4PYRWw3BW3ICa+DfiHRQZ7q83e76ymojM2FN1yqG+1ytB7jBh7ASPjNuaLDMMIVdohKwKMja6EIQH1Rj/E9kwja6IUl7

                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3035004, file counter 22, database pages 16, 1st free page 12, free pages 2, cookie 0x5, schema 4, UTF-8, version-valid-for 22
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):4.151918324786366
                                              Encrypted:false
                                              SSDEEP:384:vedThotEL38KXlOmrhSZsLRGlMapvC+8ZsLTT1SwIvV:JK+ZsL7ZsLP1iV
                                              MD5:D058D6CD99A7455EEBBF633D891E4B5E
                                              SHA1:70F65A4153CE5926CA34B09AFCAE78046F7925DE
                                              SHA-256:9F762476756F2A65B023D16D651F6BC63ACF9C59D19A86EF70A19D2702545A0C
                                              SHA-512:31C9FCED9D45CF69D376A00578B5B1B6D2D05A7C2E2A6B65F18EE761BA5AAA7B81B8901E134DA1644F86726CDEC2F6C8BFA711A684D873CC4DF114BC75D999CC
                                              Malicious:false
                                              Preview:SQLite format 3......@ ..........................................................................O|......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:SQLite Rollback Journal
                                              Category:dropped
                                              Size (bytes):8720
                                              Entropy (8bit):3.2041765369956123
                                              Encrypted:false
                                              SSDEEP:48:7MWECiolVaioldol1Nol1Aiol1RROiol1+EMol1C0f5ol15iolBxqumFTIF3XmHd:7F9paSMm0SjG9IVXEBodRBkD
                                              MD5:D2B7CE307691325B4E04CF50EEAD8E30
                                              SHA1:3FD1DB1CC08735BF7D7387426266B34F0573CEA4
                                              SHA-256:3E45607EED54B74890CC34DA0B7C58CD3D983BA4489523E1BC1A53C6F6CC1FD9
                                              SHA-512:D73A637025FEFAF0D8EF27FD52509BFDE0F55A3194328D9F6C13A0D9FD248D5DAB3F2C65D08DA76C2A4D8819003A5B030FD5A8E6D09266CE2224472F9E5454F4
                                              Malicious:false
                                              Preview:.... .c.....Z\.E.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X...../.y..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt22.lst.1460

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):110694
                                              Entropy (8bit):5.190261286653695
                                              Encrypted:false
                                              SSDEEP:1536:JgN4DipADWp1ttawvayjLgs1RY4V9gMRpF6j37cNp3yrjDlro/qu9rp:WaDls1RY4V9gMRpF6j37cNp3yrjA
                                              MD5:F94C322499A42D2F2D40561BB14B8397
                                              SHA1:526645D16C28BF57406A8B96AB27A97C8AFD21F6
                                              SHA-256:A3A862B90DE7C071196DD65C81C6E6DAAB486537FF4CABF5003D2411B2CE9B42
                                              SHA-512:1E31084AC3D1484E88970026FF7BAD1F6C4E5CC5B09A53B20A49833878A0A983E1E7778CE8B74C2CAC24F1F77DBA372771D761A7D06C031C504596BF17A29E3A
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.hasSVG:no.VariableFontType:NonVariableFont.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-Black.FamilyName:Arial.StyleName:Black.MenuName:Arial Black.StyleBits:0.WeightClass:900.WidthClass:5.AngleClass:0.FullName:Arial Black.WritingScript:Roman.hasSVG:no.VariableFontType:NonVariableFont.WinName:Arial Black.FileLength:167592.NameArray:0,Win,1,Arial Black.NameArray:0,Mac,4,Arial Black.NameArray:0,Win,1,Arial Black.NameArray:0,Win,16,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt21.lst (copy)

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):110694
                                              Entropy (8bit):5.190261286653695
                                              Encrypted:false
                                              SSDEEP:1536:JgN4DipADWp1ttawvayjLgs1RY4V9gMRpF6j37cNp3yrjDlro/qu9rp:WaDls1RY4V9gMRpF6j37cNp3yrjA
                                              MD5:F94C322499A42D2F2D40561BB14B8397
                                              SHA1:526645D16C28BF57406A8B96AB27A97C8AFD21F6
                                              SHA-256:A3A862B90DE7C071196DD65C81C6E6DAAB486537FF4CABF5003D2411B2CE9B42
                                              SHA-512:1E31084AC3D1484E88970026FF7BAD1F6C4E5CC5B09A53B20A49833878A0A983E1E7778CE8B74C2CAC24F1F77DBA372771D761A7D06C031C504596BF17A29E3A
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.22.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.hasSVG:no.VariableFontType:NonVariableFont.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-Black.FamilyName:Arial.StyleName:Black.MenuName:Arial Black.StyleBits:0.WeightClass:900.WidthClass:5.AngleClass:0.FullName:Arial Black.WritingScript:Roman.hasSVG:no.VariableFontType:NonVariableFont.WinName:Arial Black.FileLength:167592.NameArray:0,Win,1,Arial Black.NameArray:0,Mac,4,Arial Black.NameArray:0,Win,1,Arial Black.NameArray:0,Win,16,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4
                                              Entropy (8bit):0.8112781244591328
                                              Encrypted:false
                                              SSDEEP:3:e:e
                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                              Malicious:false
                                              Preview:....

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):945
                                              Entropy (8bit):5.084822438547672
                                              Encrypted:false
                                              SSDEEP:24:YFubaRCzi56W9fg56Uxvj56R2clx2LSC56+Xma560OG:YgY8i56W9o56+56RdxY56+Xma56w
                                              MD5:9B25B5445ECA39016DC30DE44FD9539A
                                              SHA1:520C63BEBDC323CC349C6DAA1C8EA30886A18DE3
                                              SHA-256:DB65364D109DCB21B7A0E8B8C3889BAD6AFAFAA63D2A85871FF5081AAD3611D1
                                              SHA-512:17751C25AFBF562BE4BD4E57E0B27BF5CBFD6ABA95B3DCD807F9AF25E75EA560839F1BCDBB053FAC73FAD32581E7D4CFBE8FFA7D9C1AAEE2BC619AFE01D37E4C
                                              Malicious:false
                                              Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1675795219000},{"id":"Edit_InApp_Aug2020","info":{"dg":"2646f0f0f5dd62f2d56ca1c033033c58","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1642668697000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"6b5098d964b65c5397b668715cc670a2","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1393,"ts":1642668697000},{"id":"DC_Reader_Upsell_Cards","info":{"dg":"0e188ce3b10d082e729bd3a233cfaf51","sid":"DC_Reader_Upsell_Cards"},"mimeType":"file","size":286,"ts":1642668697000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"74af15052665af89ad7102a0cb63a33a","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1642668697000},{"id":"DC_Reader_RHP_Retention","info":{"dg":"38b4eab1fcf9ab6a31440a452fcbde2b","sid":"DC_Reader_RHP_Retention"},"mimeType":"file","size":287,"ts":1642668697000}],"g_info":{"Version":"0.0.0.1"}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

                                              Download File
                                              Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):40393
                                              Entropy (8bit):5.517981962339109
                                              Encrypted:false
                                              SSDEEP:384:K7X4oyVFMqnBkPa2wy+QZ0KEJrgL1KsYNg7y:KT4oyVFMQBoaLy+QZ0KEJ6Yyu
                                              MD5:E8E7E38218B5033FEEF933576AD02510
                                              SHA1:38BF9C8E07B2164CA4547D1AC742E503A0D3410C
                                              SHA-256:CA3F67BA69A8BA7848B5D832709B04C180655E7FEE7A7B566B32B5AA1C5CC4C8
                                              SHA-512:896BC5A6E217D7B2A896F465D5CDF21CF5A7DF96B9389E2BF70D3AD0C5F36C9B45E4A1F32D571349E4C7E9C2B881FD934A1C449C7108621D36D9981A6C84091E
                                              Malicious:false
                                              Preview:4.241.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.107.FID.2:o:........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.103.FID.2:o:........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.116.FID.2:o:........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.98.FID.2:o:........:F:Arial-BoldItalicMT.P:Arial Bold Italic.L:$.........................."F:Arial.#.91.FID.2:o:........:F:Arial-Black.P:Arial Black.L:-.........................."F:Arial Black.#.103.FID.2:o:........:F:Bahnschrift.P:Bahnschrift Light.L:&...............,.........."F:Bahnschrift Light.#.

                                              C:\Users\user\AppData\Local\Temp\Setup Log 2023-02-07 #001.txt

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):21453
                                              Entropy (8bit):5.12277210742906
                                              Encrypted:false
                                              SSDEEP:384:hwZpMJvlfGLekAD6BFxie6vjphYjSYfJ00c:h+8mjlfJ00c
                                              MD5:74BEFA61F838AD6178FD091F41640A01
                                              SHA1:4F01B78C105F010882965AA1703DE7364BFD4785
                                              SHA-256:1A4F9AE259E6008493B0C11CC8E9C22D856A95337213382FEA2B5ACFBD1A7737
                                              SHA-512:600D99672AB1B074A590A31A7BD547F79EF1894FBB377DEDBDA2702586AFE8B509D962133DF40910A261B73B7A31C227BA512FBD13AACE3B1BE4707738463E89
                                              Malicious:false
                                              Preview:.2023-02-07 18:39:47.989 Log opened. (Time zone: UTC+00:00)..2023-02-07 18:39:47.989 Setup version: Inno Setup version 6.0.4 (u)..2023-02-07 18:39:47.989 Original Setup EXE: C:\Users\user\Desktop\FileOpenInstaller.exe..2023-02-07 18:39:47.989 Setup command line: /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe" ..2023-02-07 18:39:47.989 Windows version: 10.0.19042 (NT platform: Yes)..2023-02-07 18:39:47.989 64-bit Windows: Yes..2023-02-07 18:39:47.989 Processor architecture: x64..2023-02-07 18:39:47.989 User privileges: Administrative..2023-02-07 18:39:48.333 Administrative install mode: Yes..2023-02-07 18:39:48.333 Install mode root key: HKEY_LOCAL_MACHINE..2023-02-07 18:39:48.333 64-bit install mode: Yes..2023-02-07 18:39:48.333 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-K56MV.tmp..2023-02-07 18:39:48.380 -- DLL function import --..2023-02-07 18:39:48.380 Function name: OpenSCManagerW..2023-02-07 18:39

                                              C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\UtilDll.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):223744
                                              Entropy (8bit):6.552035196075477
                                              Encrypted:false
                                              SSDEEP:6144:Q4L7/E4GpmEXrLTilLKvMoiLQpQuK2cVAORcC75FI:K4GpmEXrLTiwvlQjuK2arR5FI
                                              MD5:79F2386CF7296E8661997193CF01BAAD
                                              SHA1:726FEA5EABC5B38981B1D6CC5B8BE01212C90616
                                              SHA-256:101EBA215EF5F833EC332DA2C803FBFF060EB55F32A88EC261B5C4192528E6DD
                                              SHA-512:123F4FFA772FDE8F901ABF12C49B78EB81975E5E5F38A8EF80C10B4CA08DA422C42EE72F51155FC87A6726217A29B0E8BF22CB927347D324D41E87485C5EFF7E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....p...p...p.us...p.uu.n.p.ut...p..mt...p..ms...p..mu..p.uq...p...q..p.Nly...p.Nlp...p.Nl....p.......p.Nlr...p.Rich..p.........PE..L...[F9`...........!.....$...P..............@............................................@..........................<..l....>..x....p.......................... "......p...............................@............@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...T....P.......0..............@....rsrc........p.......@..............@..@.reloc.. ".......$...F..............@..B................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-K56MV.tmp\_isetup\_setup64.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):6144
                                              Entropy (8bit):4.720366600008286
                                              Encrypted:false
                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\FileOpenInstaller.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):3119936
                                              Entropy (8bit):6.073128166324036
                                              Encrypted:false
                                              SSDEEP:49152:IR/KpmZubPf2S8W2ILeWl+C1p9jWy5Mnd0wigbLNDH:O/jtYLP1Sy5i0qH
                                              MD5:B7988AC379CEAA456BAA3EF19EB55263
                                              SHA1:15C13A91E64739C76FF48E20C5BB4182AAD94339
                                              SHA-256:69383793D354F2A95D88F610B0559F321F37C97197554CD1E9D6D30B038C352D
                                              SHA-512:22D4544911F496B22AF502869CBDFBC371617A418EB8010319D1842A862F84CA2CA23F1BE505C5F03BD404CB2EE5E489B1FE86B3047356ACE3965F5494AA9FA6
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@..........................`0.....5./...@......@....................'.......&..5...0'.|+...........z/.@!................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc...|+...0'..,...N&.............@..@............. (......:'.............@..@........................................................

                                              C:\Users\user\AppData\Roaming\FileOpen\Fowpmadi.txt

                                              Download File
                                              Process:C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):5.52764247057246
                                              Encrypted:false
                                              SSDEEP:3:39+/34y9q4LlIUBncPA5Vw+en:tRl4F15q
                                              MD5:61010E7699F30FEED1B3E7C73AC21C8C
                                              SHA1:5F237B4BD6FD54912ECFACADCE758288EAD907AE
                                              SHA-256:964A8D039AB66591B3562204CB488DC12B43D262484D6D005895ADB64EED9F5B
                                              SHA-512:B71C82D414DB61DCA65894BF8A911EDF6B5DBEDEAD5B4F0A25A41F6721A13AC53C32E82E58A5ED58B781BD49B51696349EF6A1CB4AFE87B502DCCFDCBF9E1F3C
                                              Malicious:false
                                              Preview:..*.I%.1./....]...p.S.f....).-7..d}.5..*7i%.\7K2...)m...

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.779130580328553
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 98.45%
                                              • Inno Setup installer (109748/4) 1.08%
                                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              File name:FileOpenInstaller.exe
                                              File size:6831336
                                              MD5:599ebd4af31288db879786f49bf9487d
                                              SHA1:ee40630abcb1fe05051c3f832c72c2ee99722c35
                                              SHA256:f469734bc576a00e113bc43b1b1a13de3c74f5370c5b9db8b9289bd9cf8aac31
                                              SHA512:1f5ab864f07bfc0900eefbc5dbc94ead881156262bf401b46c188a9b51af54247d406eb225f7d7479e75817150313e7ddefadf85ca0edc960f34f4db5d4d3f30
                                              SSDEEP:98304:ZEVrLQI+bHRk0ryjyKY0hMrF2t2nvuk9orCFrGD4pStQgyCsadx0tJnX1BzNE3:sMdDRk0+WG4QCOugtsa70ttX1da3
                                              TLSH:6E6602AF73A6902ED86A8AF105BAD3104C776F115C06CCDA13F0E5CCDB369A0FD2A655
                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                              File Icon

                                              Icon Hash:c0d4d4d4d4d4dc60

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b5eec
                                              Entrypoint Section:.itext
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x5E6D1B8D [Sat Mar 14 17:59:41 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:5a594319a0d69dbc452e748bcf05892e

                                              Authenticode Signature

                                              Signature Valid:true
                                              Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                                              Signature Validation Error:The operation completed successfully
                                              Error Number:0
                                              Not Before, Not After
                                              • 02/03/2021 00:00:00 01/03/2023 23:59:59
                                              Subject Chain
                                              • CN=FileOpen Systems Inc., O=FileOpen Systems Inc., L=Santa Cruz, S=California, C=US, SERIALNUMBER=5070649, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
                                              Version:3
                                              Thumbprint MD5:672CE4183DD35C3C4E6ABD4CAF549C09
                                              Thumbprint SHA-1:42E58D6C0DCC7076DDEB6E71534CB1F0913CD6C9
                                              Thumbprint SHA-256:BB460A91449CA5F96957CE80966CF8CC861F26A2FAA340DD81D50A41B9885AE8
                                              Serial:0FDAD5722CB13F7F2013A1CA98D144FE

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              add esp, FFFFFFA4h
                                              push ebx
                                              push esi
                                              push edi
                                              xor eax, eax
                                              mov dword ptr [ebp-3Ch], eax
                                              mov dword ptr [ebp-40h], eax
                                              mov dword ptr [ebp-5Ch], eax
                                              mov dword ptr [ebp-30h], eax
                                              mov dword ptr [ebp-38h], eax
                                              mov dword ptr [ebp-34h], eax
                                              mov dword ptr [ebp-2Ch], eax
                                              mov dword ptr [ebp-28h], eax
                                              mov dword ptr [ebp-14h], eax
                                              mov eax, 004B10D8h
                                              call 00007FF854A91215h
                                              xor eax, eax
                                              push ebp
                                              push 004B65DEh
                                              push dword ptr fs:[eax]
                                              mov dword ptr fs:[eax], esp
                                              xor edx, edx
                                              push ebp
                                              push 004B659Ah
                                              push dword ptr fs:[edx]
                                              mov dword ptr fs:[edx], esp
                                              mov eax, dword ptr [004BE634h]
                                              call 00007FF854B33927h
                                              call 00007FF854B3347Eh
                                              lea edx, dword ptr [ebp-14h]
                                              xor eax, eax
                                              call 00007FF854AA6C88h
                                              mov edx, dword ptr [ebp-14h]
                                              mov eax, 004C1D3Ch
                                              call 00007FF854A8BE07h
                                              push 00000002h
                                              push 00000000h
                                              push 00000001h
                                              mov ecx, dword ptr [004C1D3Ch]
                                              mov dl, 01h
                                              mov eax, dword ptr [004237A4h]
                                              call 00007FF854AA7CEFh
                                              mov dword ptr [004C1D40h], eax
                                              xor edx, edx
                                              push ebp
                                              push 004B6546h
                                              push dword ptr fs:[edx]
                                              mov dword ptr fs:[edx], esp
                                              call 00007FF854B339AFh
                                              mov dword ptr [004C1D48h], eax
                                              mov eax, dword ptr [004C1D48h]
                                              cmp dword ptr [eax+0Ch], 01h
                                              jne 00007FF854B39FAAh
                                              mov eax, dword ptr [004C1D48h]
                                              mov edx, 00000028h
                                              call 00007FF854AA85E4h
                                              mov edx, dword ptr [004C1D48h]

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x88578.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x681ba80x2140
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000xb36040xb3800False0.34484761272632314data6.354329115342966IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .itext0xb50000x16840x1800False0.5445963541666666data5.970901565517897IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .data0xb70000x37a40x3800False0.36104910714285715data5.0421620677813435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .bss0xbb0000x6da00x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata0xc20000xf360x1000False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .didata0xc30000x1a40x200False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .edata0xc40000x9a0x200False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rdata0xc60000x5d0x200False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0xc70000x885780x88600False0.05596571379468378data3.1574910512692473IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xc77980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States
                                              RT_ICON0x1097c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States
                                              RT_ICON0x119fe80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States
                                              RT_ICON0x1234900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States
                                              RT_ICON0x1276b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States
                                              RT_ICON0x129c600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States
                                              RT_ICON0x12ad080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States
                                              RT_ICON0x12b6900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States
                                              RT_ICON0x12baf80x12428Device independent bitmap graphic, 256 x 512 x 8, image size 65536EnglishUnited States
                                              RT_ICON0x13df200x4c28Device independent bitmap graphic, 128 x 256 x 8, image size 16384EnglishUnited States
                                              RT_ICON0x142b480x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 9216EnglishUnited States
                                              RT_ICON0x1457f00x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096EnglishUnited States
                                              RT_ICON0x146e180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States
                                              RT_ICON0x147cc00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States
                                              RT_ICON0x1485680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576EnglishUnited States
                                              RT_ICON0x148c300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States
                                              RT_ICON0x1491980x2868Device independent bitmap graphic, 128 x 256 x 4, image size 8192EnglishUnited States
                                              RT_ICON0x14ba000xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States
                                              RT_ICON0x14c4680x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States
                                              RT_STRING0x14c6500x360data
                                              RT_STRING0x14c9b00x260data
                                              RT_STRING0x14cc100x45cdata
                                              RT_STRING0x14d06c0x40cdata
                                              RT_STRING0x14d4780x2d4data
                                              RT_STRING0x14d74c0xb8data
                                              RT_STRING0x14d8040x9cdata
                                              RT_STRING0x14d8a00x374data
                                              RT_STRING0x14dc140x398data
                                              RT_STRING0x14dfac0x368data
                                              RT_STRING0x14e3140x2a4data
                                              RT_RCDATA0x14e5b80x10data
                                              RT_RCDATA0x14e5c80x2c4data
                                              RT_RCDATA0x14e88c0x2cdata
                                              RT_GROUP_ICON0x14e8b80x110dataEnglishUnited States
                                              RT_VERSION0x14e9c80x584dataEnglishUnited States
                                              RT_MANIFEST0x14ef4c0x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                              comctl32.dllInitCommonControls
                                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                              advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                              Exports

                                              NameOrdinalAddress
                                              TMethodImplementationIntercept30x454058
                                              __dbk_fcall_wrapper20x40d0a0
                                              dbkFCallWrapperAddr10x4be63c

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 7, 2023 18:40:17.564126968 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:17.564145088 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:17.564351082 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:17.576366901 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:17.576374054 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:17.973437071 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:17.973717928 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.059180975 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.059195995 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.059534073 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.059776068 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.061364889 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.061364889 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.061387062 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.417651892 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.417804956 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.417831898 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.417990923 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.418032885 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.418131113 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.419624090 CET49803443192.168.11.2072.3.136.136
                                              Feb 7, 2023 18:40:18.419634104 CET4434980372.3.136.136192.168.11.20
                                              Feb 7, 2023 18:40:18.786721945 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:18.786739111 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:18.786868095 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:18.787334919 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:18.787343979 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.192358017 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.192694902 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.194992065 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.195024967 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.195450068 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.195997000 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.196116924 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.236479044 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.328406096 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.328579903 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.328623056 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.328874111 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.329595089 CET49804443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.329643965 CET4434980472.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.331896067 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.331989050 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.332298040 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.332508087 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.332551956 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.605200052 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.605422020 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.607630014 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.607639074 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.608886003 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.608921051 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.911317110 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.911520004 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.911544085 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.911575079 CET4434980572.3.136.132192.168.11.20
                                              Feb 7, 2023 18:40:19.911669970 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.914753914 CET49805443192.168.11.2072.3.136.132
                                              Feb 7, 2023 18:40:19.914788008 CET4434980572.3.136.132192.168.11.20

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 7, 2023 18:40:17.513036966 CET5495853192.168.11.201.1.1.1
                                              Feb 7, 2023 18:40:17.554100037 CET53549581.1.1.1192.168.11.20
                                              Feb 7, 2023 18:40:18.452562094 CET6438453192.168.11.201.1.1.1
                                              Feb 7, 2023 18:40:18.785670996 CET53643841.1.1.1192.168.11.20

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Feb 7, 2023 18:40:17.513036966 CET192.168.11.201.1.1.10xc93Standard query (0)usr.fileopen.comA (IP address)IN (0x0001)false
                                              Feb 7, 2023 18:40:18.452562094 CET192.168.11.201.1.1.10x7553Standard query (0)plugin.fileopen.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Feb 7, 2023 18:40:17.554100037 CET1.1.1.1192.168.11.200xc93No error (0)usr.fileopen.com72.3.136.136A (IP address)IN (0x0001)false
                                              Feb 7, 2023 18:40:18.785670996 CET1.1.1.1192.168.11.200x7553No error (0)plugin.fileopen.com72.3.136.132A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • usr.fileopen.com
                                              • plugin.fileopen.com

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:18:39:46
                                              Start date:07/02/2023
                                              Path:C:\Users\user\Desktop\FileOpenInstaller.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\FileOpenInstaller.exe
                                              Imagebase:0x400000
                                              File size:6831336 bytes
                                              MD5 hash:599EBD4AF31288DB879786F49BF9487D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low

                                              General

                                              Target ID:4
                                              Start time:18:39:47
                                              Start date:07/02/2023
                                              Path:C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-RJIJI.tmp\FileOpenInstaller.tmp" /SL5="$6040A,6054369,1320960,C:\Users\user\Desktop\FileOpenInstaller.exe"
                                              Imagebase:0x400000
                                              File size:3119936 bytes
                                              MD5 hash:B7988AC379CEAA456BAA3EF19EB55263
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low

                                              General

                                              Target ID:6
                                              Start time:18:40:10
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\sc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\sc.exe" create FileOpenManager binpath= "\"C:\Program Files\FileOpen\Services\FileOpenManager64.exe\"" start= auto
                                              Imagebase:0x7ff767990000
                                              File size:72192 bytes
                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:7
                                              Start time:18:40:10
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff70dd20000
                                              File size:875008 bytes
                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:18:40:10
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\sc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\sc.exe" description FileOpenManager "FileOpen Client Manager"
                                              Imagebase:0x7ff767990000
                                              File size:72192 bytes
                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:9
                                              Start time:18:40:10
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff70dd20000
                                              File size:875008 bytes
                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:10
                                              Start time:18:40:11
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\sc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\sc.exe" start FileOpenManager
                                              Imagebase:0x7ff767990000
                                              File size:72192 bytes
                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:11
                                              Start time:18:40:11
                                              Start date:07/02/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff70dd20000
                                              File size:875008 bytes
                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:12
                                              Start time:18:40:11
                                              Start date:07/02/2023
                                              Path:C:\Program Files\FileOpen\Services\FileOpenManager64.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Program Files\FileOpen\Services\FileOpenManager64.exe
                                              Imagebase:0x7ff600a70000
                                              File size:846816 bytes
                                              MD5 hash:2ACE6BC0F8B1752879AD54D4EA1938D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:13
                                              Start time:18:40:11
                                              Start date:07/02/2023
                                              Path:C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
                                              Imagebase:0x7ff668dd0000
                                              File size:2089968 bytes
                                              MD5 hash:DE1A88EBE38A4EB36E2C88B1A69A0251
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:15
                                              Start time:18:40:15
                                              Start date:07/02/2023
                                              Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" installcomplete.pdf
                                              Imagebase:0x650000
                                              File size:3014368 bytes
                                              MD5 hash:6791EAE6124B58F201B32F1F6C3EC1B0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:16
                                              Start time:18:40:19
                                              Start date:07/02/2023
                                              Path:C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\FileOpen\Services\FileOpenBroker64.exe"
                                              Imagebase:0x7ff668dd0000
                                              File size:2089968 bytes
                                              MD5 hash:DE1A88EBE38A4EB36E2C88B1A69A0251
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language

                                              Disassembly

                                              No disassembly