Windows Analysis Report
C2ADPhotosSetupEN.exe

Overview

General Information

Sample name:	C2ADPhotosSetupEN.exe
Analysis ID:	1542206
MD5:	b267edc8d01b07caef2e334a05b92351
SHA1:	8da34b3ede48ba1ad32dd5238e03b19116874613
SHA256:	2679ae59bfc014e4c9aa8046ba11d3f7e5cef36536a4be768bf5de4606dd392e
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	49
Range:	0 - 100

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Compliance

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: FacebookOhttps://www.facebook.com/user_name_here equals www.facebook.com (Facebook)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: LinkedIn_https://www.linkedin.com/company/user_name_here equals www.linkedin.com (Linkedin)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: TwitterEhttps://twitter.com/user_name_hereXingWhttps://www.xing.com/profile/user_name_here equals www.twitter.com (Twitter)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: YoutubeWhttps://www.youtube.com/user/user_name_here'Failed load window. equals www.youtube.com (Youtube)

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://badoo.com/user_name_here
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/CRM
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeResponsew
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetResponseI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetResponse
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.comT
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002984000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/defined
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/definedI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.AD
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.Common
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/ER.Shared.Placeholders
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://url_to/rss.xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://user_name_here.tumblr.com
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetw.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.com.
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com/EmailTracking
Source: C2ADPhotosSetupEN.exe, 00000000.00000003.2373722770.0000000002059000.00000004.00000020.00020000.00000000.sdmp, C2ADPhotosSetupEN.exe, 00000000.00000002.2376879823.000000000205C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/form/uninstall/active-directory-photos/
Source: HomePage.url.2.dr	String found in binary or memory: http://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://www.codetwo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com5
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com8
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com;
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.comT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.codetwo.comV
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comX
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comh
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.comohttp://www.codetwo.com/freeware/active-directory-photos
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comp
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://instagram.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://plus.google.com/
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://soundcloud.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://twitter.com/user_name_here
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://userphotos365.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/exchange-rules-pro/how-to-add-signatures-with-photos-from-active-directory?s
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.codetwo.com/kb/images-online-vs-embedded/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.codetwo.com/solutions-for-exchange-server/?sts=1326
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/interface.htm?sts=1327#custom-filter
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#automatch
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#export
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#import
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/photo-editor.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/settings.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com?sts=1328
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.linkedin.com/company/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.pinterest.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.xing.com/profile/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.youtube.com/user/user_name_here

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a48.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EDD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\icon.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\ie.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1E11.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CA23E	6_2_00007FF8485CA23E
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C49FB	6_2_00007FF8485C49FB
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6AA6	6_2_00007FF8485C6AA6
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C5B74	6_2_00007FF8485C5B74
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C0D6D	6_2_00007FF8485C0D6D
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE061	6_2_00007FF8485CE061
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE146	6_2_00007FF8485CE146
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE178	6_2_00007FF8485CE178
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6B3A	6_2_00007FF8485C6B3A
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF848770A98	6_2_00007FF848770A98
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C7A91	6_2_00007FF8485C7A91

PE file contains executable resources (Code or Archives)

Source: C2ADPhotosSetupEN.exe

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.0000000000839000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000000.2137298045.0000000000FCA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@8/54@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File created: C:\Users\user\AppData\Local\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe "C:\Users\user\Desktop\C2ADPhotosSetupEN.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Install
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

Source: C2ADPhotosSetupEN.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C2ADPhotosSetupEN.exe

Static file information: File size 19423456 > 1048576

Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x172a00
Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1083600

Source: C2ADPhotosSetupEN.exe

Static PE information: More than 200 imports for USER32.dll

Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C2ADPhotosSetupEN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: MSI9BE.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x23a3e
Source: tx151.dll.2.dr	Static PE information: real checksum: 0x104664 should be: 0x109ec8

PE file contains sections with non-standard names

Source: C2ADPhotosSetupEN.exe

Static PE information: section name: .giats

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Code function: 6_2_00007FF8484AD2A5 pushad ; iretd

6_2_00007FF8484AD2A6

Source: C2WinUI.dll.2.dr	Static PE information: section name: .text entropy: 7.150995223307985
Source: C2ADPhotos.Controls.dll.2.dr	Static PE information: section name: .text entropy: 7.424336172850023

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1E11.tmp

Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\Go to program home page.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\User's manual.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: DE0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: 1A890000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Code function: 0_2_00766571 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00766571

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Compliance

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: FacebookOhttps://www.facebook.com/user_name_here equals www.facebook.com (Facebook)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: LinkedIn_https://www.linkedin.com/company/user_name_here equals www.linkedin.com (Linkedin)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: TwitterEhttps://twitter.com/user_name_hereXingWhttps://www.xing.com/profile/user_name_here equals www.twitter.com (Twitter)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: YoutubeWhttps://www.youtube.com/user/user_name_here'Failed load window. equals www.youtube.com (Youtube)

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://badoo.com/user_name_here
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/CRM
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeResponsew
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetResponseI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetResponse
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.comT
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002984000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/defined
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/definedI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.AD
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.Common
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/ER.Shared.Placeholders
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://url_to/rss.xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://user_name_here.tumblr.com
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetw.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.com.
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com/EmailTracking
Source: C2ADPhotosSetupEN.exe, 00000000.00000003.2373722770.0000000002059000.00000004.00000020.00020000.00000000.sdmp, C2ADPhotosSetupEN.exe, 00000000.00000002.2376879823.000000000205C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/form/uninstall/active-directory-photos/
Source: HomePage.url.2.dr	String found in binary or memory: http://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://www.codetwo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com5
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com8
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com;
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.comT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.codetwo.comV
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comX
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comh
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.comohttp://www.codetwo.com/freeware/active-directory-photos
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comp
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://instagram.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://plus.google.com/
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://soundcloud.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://twitter.com/user_name_here
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://userphotos365.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/exchange-rules-pro/how-to-add-signatures-with-photos-from-active-directory?s
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.codetwo.com/kb/images-online-vs-embedded/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.codetwo.com/solutions-for-exchange-server/?sts=1326
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/interface.htm?sts=1327#custom-filter
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#automatch
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#export
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#import
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/photo-editor.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/settings.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com?sts=1328
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.linkedin.com/company/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.pinterest.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.xing.com/profile/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.youtube.com/user/user_name_here

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a48.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EDD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\icon.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\ie.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1E11.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CA23E	6_2_00007FF8485CA23E
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C49FB	6_2_00007FF8485C49FB
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6AA6	6_2_00007FF8485C6AA6
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C5B74	6_2_00007FF8485C5B74
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C0D6D	6_2_00007FF8485C0D6D
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE061	6_2_00007FF8485CE061
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE146	6_2_00007FF8485CE146
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE178	6_2_00007FF8485CE178
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6B3A	6_2_00007FF8485C6B3A
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF848770A98	6_2_00007FF848770A98
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C7A91	6_2_00007FF8485C7A91

PE file contains executable resources (Code or Archives)

Source: C2ADPhotosSetupEN.exe

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.0000000000839000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000000.2137298045.0000000000FCA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@8/54@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File created: C:\Users\user\AppData\Local\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe "C:\Users\user\Desktop\C2ADPhotosSetupEN.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Install
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

Source: C2ADPhotosSetupEN.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C2ADPhotosSetupEN.exe

Static file information: File size 19423456 > 1048576

Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x172a00
Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1083600

Source: C2ADPhotosSetupEN.exe

Static PE information: More than 200 imports for USER32.dll

Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C2ADPhotosSetupEN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: MSI9BE.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x23a3e
Source: tx151.dll.2.dr	Static PE information: real checksum: 0x104664 should be: 0x109ec8

PE file contains sections with non-standard names

Source: C2ADPhotosSetupEN.exe

Static PE information: section name: .giats

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Code function: 6_2_00007FF8484AD2A5 pushad ; iretd

6_2_00007FF8484AD2A6

Source: C2WinUI.dll.2.dr	Static PE information: section name: .text entropy: 7.150995223307985
Source: C2ADPhotos.Controls.dll.2.dr	Static PE information: section name: .text entropy: 7.424336172850023

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1E11.tmp

Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\Go to program home page.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\User's manual.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: DE0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: 1A890000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Code function: 0_2_00766571 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00766571

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1542206
Product:	CloudBasic
Start time:	16:34:27
Start date:	25.10.2024
Sample:	C2ADPhotosSetupEN.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b267edc8d01b07caef2e334a05b92351
SHA1:	8da34b3ede48ba1ad32dd5238e03b19116874613
SHA256:	2679ae59bfc014e4c9aa8046ba11d3f7e5cef36536a4be768bf5de4606dd392e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\431a49.rbs	data	5BA54B48369B33CAB672395F6E24BB1E	FBFF03CEFFB80AA586696DE52A564DFE39334F4F	5980DA82114CB349A0ED303FC7CEBF9031E59B8A3F91EFE27ED53E9A85C48EE2
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D2243EB4620041558075CAFE12A5716F	704758817734782161DA7FB619F08294B69ADFCD	17180F377878A267BFE66C69406BCB23DBFE88A995ECC394D8C94434D4E2E9EE
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	95100781267D8FC2B596F72F529AB48E	8F8DA00B2DB8C3E18F485BD24A075168C9ECD84A	3F3114F75DBAE84C30D9D775FBCDB6CEA7EE751E422A7163CCDE3F25313378A5
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2443C079542FE7F60DD4153D78EE15F6	1A52995404D8BB70D359A04B19D6AF8209B9CA68	3C8B25D916540EF8F10AED8C97F9D99E91A9CF22669CB2D7C370B79D350B6633
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5471ED47B6F06442A0B7C5F1AE58F470	0807121AC3587749620DEC072E10DA6A42DC79D3	1F1F47E16E1A4DCADCB1FFF17F9781A6B67C1AE57B89AA34A9221C9458967674
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	57CE9C8B4ADF608B02C8AD2D4E0751E9	5EA5E6478DDD0154A71EAAF90C9252FF52A9636A	83B6D3456220E19EEE41A4C9C8FDFF7F7EAD46B05D82D10AD462E0B13F650F0A
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	94AC39F544E71724A924B97C37D3154F	E62814A68FAC2155E368A4ADE1EE588E669F0B19	2CD1570D7FC31962DA20A81BF90B1BE1C3D12D0F8F8FDBF23EDFD8CF38D70754
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0D5774A493CCD50641495391784AD861	D1C5FD350C65A66C0844711C4863A84EC3A9B3F8	3ED72DF410BD5722883C246AB5C030B836CA7981C97851792180A714B05B3CE6
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	64FA128F137A7AEFCFA59744C6B17A75	FEAFF1A8015F816ECE1EA8CC808D6EB7BDF8A062	3353B7DE4462FE26F0C481743861647B1E71AE534186333AD1BC9640F84C54E3
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3DDE769A224B2C7D4C63FD8065C80E36	5EE7A02A5B4492E0D8E272276D4A9A4C07322386	7C5DDC1A13514A181A10BF816C38EBB6EBD5CBD166374A361D854A77B43C7DDD
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	MS Windows 95 Internet shortcut text (URL=<http://www.codetwo.com/freeware/active-directory-photos?sts=1327>), ASCII text, with CRLF line terminators	3D3EB8CFAA2B79D009A2573E0B2AB8C6	457C4AB0AA5083B2A3464420D534DEF28F999AEE	90204B38EC58321EFD6D6A282868A67EC17B7242E301C09605EF6C951CBEFB88
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	MS Windows 95 Internet shortcut text (URL=<http://www.codetwo.com/userguide/active-directory-photos/intro.htm?sts=1327>), ASCII text, with CRLF line terminators	D63EA42C911B506BD4A480DFB5FE952A	E6784738F569D91C9BF3889FC3CD4AAB771E8EB4	D3D6740CCAAF25085B29DE3FCA28EBF5B63BC93C19C08F62C70697BCF91EB7AA
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	13662EC5D6803038105FDF472DF64C6E	BF91FF7DBF0B1B3FD3EB5A0CD08A70903CF0E43E	E5A86180BCB2D9EA8373C9A72647F4553EC77180B58C8E407B4875B62B8464BB
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1EB87636A43D08800290D8AB8744FDEB	4D7F9BB898B1B368233298FDCEB6F2A0F7728B63	6A3EE94DA8A98C2FF8A05601C3E2CF6D702A59021857058C984190F021E41A23
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	923F8F8F7A4A8A296D2CF3494DB5787E	7B6A6D78125C8AA7E2FB597AA6D0ACD88AEE92B3	3705B47A302AFE22823522E4A48FFCEECDD1F3B15A6D1A04C0048720020F5260
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	65C3D83E93BF993B5030162E6567F499	E846941C872AA7BC43841715D7097074B89A1229	50BEFBC170A5BBADDBD748519E0887CDF0D2859356AD8D989A13D4EE5583A83E
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0936FD6A6D144B7B93D34C0A5E5B4A7E	0D7C9B8D8339B2F59D8133A43778909679536994	3B362CD97D93A37E70762183FAF42BCFF4E2E2B104FBDA95FA87F3A66C531CD3
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	98DE435E6E2A8CE06470570743EEC1A1	521C6FBBEAA8CF92D6C80B7B32FB107AF0772A47	478086E4F11CA511F640BE2E81662B06B1C623E7139FB55BC48FA48D8D662FB9
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	680BB537BA340E2790541C7B58021BBD	8B024C3B88AD508953F383FB301FCFF445BEB4FB	22415CD8B40009C879E2030A178DBBC4A107B487B32CEBE3CA540A03733BB0DD
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BDDE025F9C20E701C4ADFC7BD1B486E4	79D15C7030D56167A81ED2CA90CE2FC7EDFFB99E	A706898017D1C0744E0CCE10744455E75766E181362B5AACF319A4A2AB663652
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	40CC174FF9A069BE60BF4670D365C6BD	5B37A303F804EC11BCC88E068075EF551A679F23	54F7CC1E03D63C74ED0373EC814628211D47D8DA2F4D194599B355035F65D5E0
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D2E83C2F32447A19553C3CAE6A179C46	27188BB508BECB60BAE6424DEEBD6C09A06FF6EB	455E9872DB6CA8AEC0EC39FFEF26604CA121B7A5CADE2B2C42E97042E197D22E
C:\ProgramData\MSI Cache\{C1FB6A80-5028-4922-AF16-C3A9EC1C5379}\C2ADPhotosSetupENx64.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	F921051C82D6695B6303B247BCF4F7F0	3C8366272AD9DE7D33D140B254ADD3D0DB28E732	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Jan 5 17:46:20 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Tue Jan 5 17:46:20 2021, length=2016008, window=hide	FC9D9614A0A2645A5BE6BC58859250F2	7017CA97685A65193B5CD883DF5E5519ACE5982A	FE2366453901B8C24B63329112CF43DF96E6EC022FAD30B55BE916AA51EFBD72
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\Go to program home page.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Jan 4 13:39:22 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Mon Jan 4 13:39:22 2021, length=90, window=hide	7BBA90F76C26C8F2D427B99CD9C12ABE	371DC3C3216A3ED0BFDA89483851DEBBEFBB7721	2D25AB0996C13DE6494AE340BF39B0428ACDA7115B1C47B5B4700834DDCC1DDF
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\User's manual.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Jan 4 13:39:22 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Mon Jan 4 13:39:22 2021, length=101, window=hide	1542C0793B3D38644644A7B855D83D4E	CC68641C598BBF997A7EEA2F17B3AA208B0A4B62	96B7C561795C334EC1457E7A27202692E53030A76272CB9EBF4C08B03887E18A
C:\Users\user\AppData\Local\CodeTwo\AD Photos\Cache\items.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with no line terminators	E5283749F663531FA1BA55EFE9504E86	545F5604907CE20D13570BEA7EE7EDBCBC3FAD27	BE283CEB10397D91744AEF95AAD260C8ED64F7068AFB591986AD59B5ADA3C3C3
C:\Users\user\AppData\Local\CodeTwo\AD Photos\Logs\2024.10.25_00001.txt	ASCII text, with CRLF line terminators	75FE33C85F4ED2C8E3BAC0B993FA3BC4	16ED3829D9A6C860D5BD75260F4733858E517AA3	190057164A96FD9E84783BC9DBD19B190ED588A54014D4892A7CBC828087E4F8
C:\Users\user\AppData\Local\CodeTwo\AD Photos\Settings\settings.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2257), with no line terminators	789E83387FB350BC1299926726F17870	BFE54EEDB71BA4DD2CFB595D8C32F5651F613B31	E947396D67C9D74FD2669F20AD54C1B0D4D6B38D8293105D73558D8BB55F25DF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CodeTwo Active Directory Photos.exe.log	CSV text	64AAEC71CAF0F79C3FEB2439F2F92736	846F7215194EB81ECB67CE629027A10BFE465D3C	B02B633DB61F003025CAE887B89C8E367EDE606F08EFD3AB41EFB4BE9BAF1D66
C:\Users\user\AppData\Local\Temp\CodeTwo Applications Temporary Settings\faa7d046-c44d-490b-a4c4-4530272bb092	data	A6129431F10D1280D1C4A4DBD84F2B49	07AA02F441B530DAB1B81DA0ADBB28F125E0EFBC	2F686E1A54532DB9D10EDB372ED0AE0DCB2B256EDAD1580941AA9F21E320AE20
C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F54BFFE4D54C0B794C5389BD2C7BAAC2	C472C6A4BD6510B02244D53819EF07882BC101E0	3C06F5BECA24D0EDAEB63BDD5E671386FFC66807E323BA6BCB893260EB52D433
C:\Windows\Installer\431a48.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	F921051C82D6695B6303B247BCF4F7F0	3C8366272AD9DE7D33D140B254ADD3D0DB28E732	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
C:\Windows\Installer\431a4a.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	F921051C82D6695B6303B247BCF4F7F0	3C8366272AD9DE7D33D140B254ADD3D0DB28E732	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
C:\Windows\Installer\MSI1E11.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BBC21A151258F16AADBECC35D2B98105	BC3912A5676DA837D56FF76D07C33BFA7301CF27	288F11604122D6E2A1FDC86F9B0062E43E01D7D9685375259A0119B573CA9D7A
C:\Windows\Installer\MSI1EDD.tmp	data	78F864AA110CD579AFBF17E9BD25ED40	5C7DB1B259A03086394E0EF5188E65BFCF5E45A4	596EE20CBE4ED6DA3C482FE40D8B796CB1D9ED8F332EAA38702C683E94D5973A
C:\Windows\Installer\SourceHash{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Composite Document File V2 Document, Cannot read section info	58B1358CE67F83C19AA29C78E81EA992	4F898DA63A87B7C654282FBC3F5DF8928CEC44C4	FD18B255AB3269BB2D0D79967C94009E37DAC2052882A305E78537F5E9632B56
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	0B3E64C4ADBCDB049120DF8CD2F26993	054653BB088EC183AACF27D8531FAE57A81DD34C	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\icon.ico	MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel	9500AE5294D8F000F4AA1A1F7620756B	EB1BB35C4F4B3E5142E55022E3BC10DCEAA320B3	146BD6689CBFB474C7F4C6FE2C4F1EAECE56A803BB8988E16461E9630AD2A880
C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\ie.ico	MS Windows icon resource - 2 icons, 32x32, 16x16	47AC15648F4FDCCA30A9F0892692949E	0BB3D452CB9A44A50A2851746BFAB3D001716D08	052715BED7B8C5AE19B2F3E61A93EA56A313D3027088585E4C8A6CC1ECA3AC9D
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	77940E02A05F92C7233F59694DF5E4A0	AEC9F4B670B6F3F02126D4F9908FAE9648045803	075A07FDC7F17265CC8158EDF404704C0E43957D94BB1C6EE4AD5FAA6724E974
C:\Windows\Temp\~DF196D1133CD399CF8.TMP	Composite Document File V2 Document, Cannot read section info	F5FBBF4F74C87384FDC23CB077AE8FE4	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
C:\Windows\Temp\~DF3F7EAF4F5ADCC4BF.TMP	Composite Document File V2 Document, Cannot read section info	0B3E64C4ADBCDB049120DF8CD2F26993	054653BB088EC183AACF27D8531FAE57A81DD34C	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
C:\Windows\Temp\~DF46FE766947CBCC9A.TMP	Composite Document File V2 Document, Cannot read section info	F5FBBF4F74C87384FDC23CB077AE8FE4	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
C:\Windows\Temp\~DF8CA88C56E74E7E2F.TMP	Composite Document File V2 Document, Cannot read section info	0B3E64C4ADBCDB049120DF8CD2F26993	054653BB088EC183AACF27D8531FAE57A81DD34C	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
C:\Windows\Temp\~DF989544F757F69EF6.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC740DF0614F93682.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFD02EA1444F981F5D.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFD139A1C245630496.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFD2F009AA6B86C0CE.TMP	data	831F5AE41136A0DEDC1ED111992EE752	315B3CA3D76940BC6E96FD1E143E390D455CFCB9	8D3DD0F7A7A97404604A12EB3CA4138591ED1F39B91814D7AD0BF0429D8093C2
C:\Windows\Temp\~DFF164ACC84465A887.TMP	data	BE06243300E15D36FFAFF576EEF8A27B	7F719DF30C3AAA14E5D300D10700E84EBBD210BF	E8F85536FDF70DF02EB15A2C30F26A3072F4CEB230A2B06373B69031FDE8DCED
C:\Windows\Temp\~DFF2B2D8159DBF2E89.TMP	Composite Document File V2 Document, Cannot read section info	F5FBBF4F74C87384FDC23CB077AE8FE4	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
C:\Windows\Temp\~DFF987463988E13002.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON	data	AA61216F9A06E0243C57C05A826BAFE8	C18E5F4551400ECE25EF5823CD56B10AA7F99AAF	AFE865F02F03167A14137DD71B672550BEF826A08B05B7A9D955E22D27A7B133

Windows Analysis Report C2ADPhotosSetupEN.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
C2ADPhotosSetupEN.exe