Edit tour

Windows Analysis Report
C2ADPhotosSetupEN.exe

Overview

General Information

Sample name:	C2ADPhotosSetupEN.exe
Analysis ID:	1542206
MD5:	b267edc8d01b07caef2e334a05b92351
SHA1:	8da34b3ede48ba1ad32dd5238e03b19116874613
SHA256:	2679ae59bfc014e4c9aa8046ba11d3f7e5cef36536a4be768bf5de4606dd392e
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	49
Range:	0 - 100

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

C2ADPhotosSetupEN.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\C2ADPhotosSetupEN.exe" MD5: B267EDC8D01B07CAEF2E334A05B92351)

msiexec.exe (PID: 6436 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2636 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4352 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1 MD5: 9D09DC1EDA745A5F87553048E57620CF)

CodeTwo Active Directory Photos.exe (PID: 5948 cmdline: "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe" MD5: 64FA128F137A7AEFCFA59744C6B17A75)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

PE / OLE file has a valid certificate

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: FacebookOhttps://www.facebook.com/user_name_here equals www.facebook.com (Facebook)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: LinkedIn_https://www.linkedin.com/company/user_name_here equals www.linkedin.com (Linkedin)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: TwitterEhttps://twitter.com/user_name_hereXingWhttps://www.xing.com/profile/user_name_here equals www.twitter.com (Twitter)
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: YoutubeWhttps://www.youtube.com/user/user_name_here'Failed load window. equals www.youtube.com (Youtube)

Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://badoo.com/user_name_here
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/CRM
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeResponsew
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/GetCurrentTimeT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetResponseI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/ResetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetResponse
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.com/ITimeService/SetOffsetT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://codetwo.comT
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002984000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/defined
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	String found in binary or memory: http://schemas.codetwo.com/Net45/definedI
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.AD
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/C2ADPhotos.Common
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/ER.Shared.Placeholders
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://url_to/rss.xml
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://user_name_here.tumblr.com
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetw.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.com.
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.com/EmailTracking
Source: C2ADPhotosSetupEN.exe, 00000000.00000003.2373722770.0000000002059000.00000004.00000020.00020000.00000000.sdmp, C2ADPhotosSetupEN.exe, 00000000.00000002.2376879823.000000000205C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.com/form/uninstall/active-directory-photos/
Source: HomePage.url.2.dr	String found in binary or memory: http://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: http://www.codetwo.com0
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com5
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com8
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.codetwo.com;
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp, ER.Shared.Placeholders.2.dll.2.dr	String found in binary or memory: http://www.codetwo.comT
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.codetwo.comV
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comX
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comh
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: http://www.codetwo.comohttp://www.codetwo.com/freeware/active-directory-photos
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codetwo.comp
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://instagram.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://plus.google.com/
Source: C2ADPhotosSetupEN.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://soundcloud.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://twitter.com/user_name_here
Source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://userphotos365.codetwo.com
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/exchange-rules-pro/how-to-add-signatures-with-photos-from-active-directory?s
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/freeware/active-directory-photos?sts=1327
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.codetwo.com/kb/images-online-vs-embedded/
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.codetwo.com/solutions-for-exchange-server/?sts=1326
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/interface.htm?sts=1327#custom-filter
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#automatch
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#export
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#import
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/photo-editor.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com/userguide/active-directory-photos/settings.htm?sts=1327
Source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.codetwo.com?sts=1328
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.linkedin.com/company/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.pinterest.com/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.xing.com/profile/user_name_here
Source: ER.Shared.MessageComposition.Lib.dll.2.dr	String found in binary or memory: https://www.youtube.com/user/user_name_here

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a48.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EDD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\icon.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\ie.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\431a4a.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1E11.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CA23E	6_2_00007FF8485CA23E
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C49FB	6_2_00007FF8485C49FB
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6AA6	6_2_00007FF8485C6AA6
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C5B74	6_2_00007FF8485C5B74
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C0D6D	6_2_00007FF8485C0D6D
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE061	6_2_00007FF8485CE061
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE146	6_2_00007FF8485CE146
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485CE178	6_2_00007FF8485CE178
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C6B3A	6_2_00007FF8485C6B3A
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF848770A98	6_2_00007FF848770A98
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Code function: 6_2_00007FF8485C7A91	6_2_00007FF8485C7A91

PE file contains executable resources (Code or Archives)

Source: C2ADPhotosSetupEN.exe

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.0000000000839000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000002.2375301153.00000000016C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe, 00000000.00000000.2137298045.0000000000FCA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameuica.dll\ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameNDP46-KB3045560-Web.exeZ vs C2ADPhotosSetupEN.exe
Source: C2ADPhotosSetupEN.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs C2ADPhotosSetupEN.exe

Uses 32bit PE files

Source: C2ADPhotosSetupEN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@8/54@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File created: C:\Users\user\AppData\Local\CodeTwo

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp

Jump to behavior

Source: C2ADPhotosSetupEN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe "C:\Users\user\Desktop\C2ADPhotosSetupEN.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C1090-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Next
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Automated click: Install
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Jump to behavior

PE / OLE file has a valid certificate

Source: C2ADPhotosSetupEN.exe

Static PE information: certificate valid

PE file has a big code size

Source: C2ADPhotosSetupEN.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: C2ADPhotosSetupEN.exe

Static file information: File size 19423456 > 1048576

PE file has a big raw section

Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x172a00
Source: C2ADPhotosSetupEN.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1083600

PE file imports many functions

Source: C2ADPhotosSetupEN.exe

Static PE information: More than 200 imports for USER32.dll

PE file contains a mix of data directories often seen in goodware

Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C2ADPhotosSetupEN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: C2ADPhotosSetupEN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: C2ADPhotosSetupEN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdbp source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Common\obj\ReleaseNET45\C2Wpf.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454586241.00000000027F2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Settings\obj\ReleaseNET45\ER.Shared.Settings.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2Common\Modules\C2Wpf.Controls\obj\ReleaseNET45\C2Wpf.Controls.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Main\C2ERBase2\Modules\ER.Shared.Placeholders\obj\ReleaseNET45\ER.Shared.Placeholders.2.pdb0~J~ <~_CorDllMainmscoree.dll source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.MessageComposition.Lib.pdb source: ER.Shared.MessageComposition.Lib.dll.2.dr
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2.Common.pdbsr source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: E:\B\A5\_work\57\s\Output\C2Native\Win32\ReleaseStatic\C2CustomActions.pdb source: C2ADPhotosSetupEN.exe, 431a48.msi.2.dr, 431a4a.msi.2.dr
Source:	Binary string: os.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459211679.000000001B3BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\C2WinUI.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: F:\B\A11\_work\10\s\Output\C2ERBase2\Any CPU\ReleaseNET45\ER.Shared.Common.2.pdb' source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\CodeTwo Active Directory Photos.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.0000000000587000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\dd\fx\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: C2ADPhotosSetupEN.exe
Source:	Binary string: D:\A2\_work\115\s\Output\Obfuscated\C2ADPhotos.AD.pdb source: CodeTwo Active Directory Photos.exe, 00000006.00000002.2460177474.000000001B56B000.00000002.00000001.01000000.00000017.sdmp

PE file contains a valid data directory to section mapping

Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C2ADPhotosSetupEN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: MSI9BE.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x23a3e
Source: tx151.dll.2.dr	Static PE information: real checksum: 0x104664 should be: 0x109ec8

PE file contains sections with non-standard names

Source: C2ADPhotosSetupEN.exe

Static PE information: section name: .giats

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Code function: 6_2_00007FF8484AD2A5 pushad ; iretd

6_2_00007FF8484AD2A6

Source: C2WinUI.dll.2.dr	Static PE information: section name: .text entropy: 7.150995223307985
Source: C2ADPhotos.Controls.dll.2.dr	Static PE information: section name: .text entropy: 7.424336172850023

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1E11.tmp

Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\Go to program home page.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\User's manual.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: DE0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Memory allocated: 1A890000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1E11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe "C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"

Jump to behavior

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\C2ADPhotosSetupEN.exe

Code function: 0_2_00766571 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00766571

Source: C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Windows Service	1 Windows Service	23 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	32 Virtualization/Sandbox Evasion	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C2ADPhotosSetupEN.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll	2%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll	0%	ReversingLabs
C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9BE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1E11.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://codetwo.com/ITimeService/SetOffsetT	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
https://www.codetwo.com?sts=1328	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://codetwo.com/ITimeService/SetOffsetResponse	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://codetwo.comT	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://ocsp.sectigo.com0	C2ADPhotosSetupEN.exe	false	URL Reputation: safe	unknown
http://schemas.datacontract.org	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://codetwo.com/ITimeService/GetCurrentTimeResponsew	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://schemas.datacontract.org/2004/07/ER.Shared.Placeholders	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://instagram.com/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://certificates.godaddy.com/repository/0	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://schemas.codetwo.com/Net45/definedI	CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	false		unknown
https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#automatch	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
https://www.codetwo.com/userguide/active-directory-photos/photo-editor.htm?sts=1327	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://schemas.datacontract.org/2004/07/System.Xml	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://codetwo.com/ITimeService/ResetOffsetT	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://www.codetwo.com/EmailTracking	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://www.codetwo.comohttp://www.codetwo.com/freeware/active-directory-photos	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://www.codetw.com	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://crl.godaddy.com/gdig2s5-6.crl0	C2ADPhotosSetupEN.exe	false		unknown
https://www.codetwo.com/freeware/active-directory-photos?sts=1327	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://www.codetwo.com;	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
https://sectigo.com/CPS0D	C2ADPhotosSetupEN.exe	false		unknown
http://www.w3.o	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://twitter.com/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
https://www.codetwo.com/solutions-for-exchange-server/?sts=1326	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.datacontract.org/2004/07/C2ADPhotos.AD	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.codetwo.com5	CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://www.codetwo.com8	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
https://www.codetwo.com/userguide/active-directory-photos/multi-photo.htm?sts=1327#import	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://certificates.godaddy.com/repository/gdig2.crt0	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
https://www.pinterest.com/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://codetwo.com/ITimeService/ResetOffsetResponseI	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://www.codetwo.com.	CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, ER.Shared.Placeholders.2.dll.2.dr	false		unknown
http://crl.godaddy.com/gdig2s5-3.crl0	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://www.codetwo.com0	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://www.codetwo.com/	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://badoo.com/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://url_to/rss.xml	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://www.codetwo.comh	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.codetwo.com/freeware/active-directory-photos?sts=1327	HomePage.url.2.dr	false		unknown
https://www.codetwo.com/kb/images-online-vs-embedded/	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://schemas.datacontract.org/2004/07/	CodeTwo Active Directory Photos.exe, 00000006.00000002.2459946087.000000001B4C2000.00000002.00000001.01000000.00000016.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://user_name_here.tumblr.com	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://www.codetwo.com	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
https://www.linkedin.com/company/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://certs.godaddy.com/repository/1301	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://schemas.datacontract.org/2004/07/C2ADPhotos.Common	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.codetwo.comT	CodeTwo Active Directory Photos.exe, 00000006.00000002.2466305357.000000001CFF2000.00000002.00000001.01000000.0000001B.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463304418.000000001BED2000.00000002.00000001.01000000.00000019.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2466378356.000000001D022000.00000002.00000001.01000000.0000001C.sdmp, ER.Shared.Placeholders.2.dll.2.dr	false		unknown
http://www.codetwo.comV	CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	false		unknown
http://www.codetwo.comX	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://certs.godaddy.com/repository/0	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://schemas.codetwo.com/Net45/defined	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002984000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2463413177.000000001CF22000.00000002.00000001.01000000.0000001A.sdmp, C2Wpf.Controls.dll.2.dr	false		unknown
https://userphotos365.codetwo.com	CodeTwo Active Directory Photos.exe, 00000006.00000000.2345167044.00000000003D2000.00000002.00000001.01000000.00000009.sdmp	false		unknown
https://soundcloud.com/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://www.w3.oh	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://plus.google.com/	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
https://www.youtube.com/user/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
http://crl.godaddy.com/gdroot-g2.crl0F	C2ADPhotosSetupEN.exe, ER.Shared.Placeholders.2.dll.2.dr, 431a48.msi.2.dr, ER.Shared.MessageComposition.Lib.dll.2.dr, 431a4a.msi.2.dr	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	C2ADPhotosSetupEN.exe	false	URL Reputation: safe	unknown
http://www.codetwo.com/form/uninstall/active-directory-photos/	C2ADPhotosSetupEN.exe, 00000000.00000003.2373722770.0000000002059000.00000004.00000020.00020000.00000000.sdmp, C2ADPhotosSetupEN.exe, 00000000.00000002.2376879823.000000000205C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	C2ADPhotosSetupEN.exe	false	URL Reputation: safe	unknown
https://www.xing.com/profile/user_name_here	ER.Shared.MessageComposition.Lib.dll.2.dr	false		unknown
https://www.codetwo.com/exchange-rules-pro/how-to-add-signatures-with-photos-from-active-directory?s	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
https://www.codetwo.com/userguide/active-directory-photos/interface.htm?sts=1327#custom-filter	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://codetwo.com/CRM	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
https://www.codetwo.com/userguide/active-directory-photos/settings.htm?sts=1327	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454651827.0000000002802000.00000002.00000001.01000000.00000014.sdmp	false		unknown
http://codetwo.com/ITimeService/GetCurrentTimeT	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454719140.0000000002822000.00000002.00000001.01000000.00000015.sdmp	false		unknown
http://www.codetwo.comp	CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, CodeTwo Active Directory Photos.exe, 00000006.00000002.2454794658.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542206
Start date and time:	2024-10-25 16:34:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	C2ADPhotosSetupEN.exe
Detection:	CLEAN
Classification:	clean5.winEXE@8/54@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.73, 40.126.31.67, 20.190.159.4, 20.190.159.2, 20.190.159.64, 40.126.31.73, 20.190.159.0, 20.190.159.68
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target C2ADPhotosSetupEN.exe, PID 6688 because there are no executed function
Execution Graph export aborted for target CodeTwo Active Directory Photos.exe, PID 5948 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: C2ADPhotosSetupEN.exe

Simulations

Behavior and APIs

Time	Type	Description
10:35:49	API Interceptor	2x Sleep call for process: CodeTwo Active Directory Photos.exe modified

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	13373
Entropy (8bit):	5.774741748257107
Encrypted:	false
SSDEEP:	384:rDFXrokNFYg+l6Fy/4/UiXrjOkw1TwRt4bdxdFVSj:rDFXrowFYg+l60/4/UibjOkw1Titar8
MD5:	5BA54B48369B33CAB672395F6E24BB1E
SHA1:	FBFF03CEFFB80AA586696DE52A564DFE39334F4F
SHA-256:	5980DA82114CB349A0ED303FC7CEBF9031E59B8A3F91EFE27ED53E9A85C48EE2
SHA-512:	FF26254EC6AB11829FC296C46DA83158695BBF40CCA0308812B5AB58C45D7468B967FD22E00AD3E5D1C6E2935E2E9235685EEA3363AA00996FF05FCBBE964AF0
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@xTYY.@.....@.....@.....@.....@.....@......&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}..CodeTwo Active Directory Photos..C2ADPhotosSetupENx64.msi.@.....@.....@.....@......icon.ico..&.{85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}.....@.....@.....@.....@.......@.....@.....@.......@......CodeTwo Active Directory Photos......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{29BEB6C5-A856-4BEC-A3D8-BF723C93F800}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.{1EEAAF19-B2ED-4D58-AC09-0A4C7F3FFAE3}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.{C8E604A2-DD3D-420B-8F48-B55522237493}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.{7633E798-5746-49D5-96E9-8E0CC4681E90}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.{2D4F63DF-5AB0-42E8-95E8-09A39ED891CA}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.{C11DFE56-311E-4061-B654-04F835FE8CF2}&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}.@......&.

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	223512
Entropy (8bit):	6.4166974181915215
Encrypted:	false
SSDEEP:	6144:PcuQsm9cvBIE3Qf8rnQwVj+CQNuiWKq8ZKyT:PCsZvXY4XQNwfC
MD5:	D2243EB4620041558075CAFE12A5716F
SHA1:	704758817734782161DA7FB619F08294B69ADFCD
SHA-256:	17180F377878A267BFE66C69406BCB23DBFE88A995ECC394D8C94434D4E2E9EE
SHA-512:	B8B340EAAC430E6D436D7D6238C54CD9195F7346B4F7093EF5B86B077568DF5B8140540A83873FDCFBDDA205B7AA2A29F1BDE7918F8FF8FE90753F42093F7C5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U. \...........!.....T...........r... ........@.. ....................................@.................................Kr..J....................\...............q..\|............................................ ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B................{r......H........o..$............2...>............................................{...."..}.........{...."..}.........{...."..}.........{...."..}.........(;.....(......s....(......s....(.......s....(.....0..>....... ....s<....-+&.,. .....-"&....(....-..,.~=....-..o>....+..+....0..B........j.-4&.j.-1&.j.-.&.......(....-..,.s?...z.,..-.....s.....+..+..+...z...\|....{.....\|....{....(...+......\|....\|.....\|....\|.....,.&&&&(...++....z...\|....{.....\|....{....(...+*......\|....\|.

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	430344
Entropy (8bit):	6.254957913577716
Encrypted:	false
SSDEEP:	6144:tYybA3NlO3Nl8ELIJ+bgJeBPUAtqkzkgOmoXZ//7ey:tYys3NU3N6+bgJWvIfxSy
MD5:	95100781267D8FC2B596F72F529AB48E
SHA1:	8F8DA00B2DB8C3E18F485BD24A075168C9ECD84A
SHA-256:	3F3114F75DBAE84C30D9D775FBCDB6CEA7EE751E422A7163CCDE3F25313378A5
SHA-512:	FC83C64226FA59899C66A381168A7384D671BAB0E2B1E647EA727313E77A55C6A48BC46AC8C7AFAD3FC157671536D291FE8513087F2B3432F095AB3FBE8FB311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{._...........!.....h............... ........@.. ...............................=....@.................................H...J....................p...!.............j............................................ ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............n..............@..B................x.......H.......X]...\...........................................................{...."..}.........(%...:.(%.....}......0..S........(....~&...%-.&~'.....(...s)...%.&...(...+%- .(.........(+...o,...(-...s....z.......0..c.......s/...o...+.,'&.,..-..o....,..,...o.....-.&&+...,.&...+.(....+.(....+...{.....(1...o2....(.....,............EE..h....0..).......s/.....,.&&..o...++...{.....(4...o2.....*...............h....0..x........-Q.-..s5....,F&&.,0.(....s6....-:&&.(....s7....-1&&.(..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	76552
Entropy (8bit):	6.499274229009615
Encrypted:	false
SSDEEP:	1536:c6UrCGwOZGauM8GaYzzvcMF1QXtyS7MaiADBgGF8bu1Q+8iA:RGwksGaYzzv5QXJ7MaiJJbuKD
MD5:	2443C079542FE7F60DD4153D78EE15F6
SHA1:	1A52995404D8BB70D359A04B19D6AF8209B9CA68
SHA-256:	3C8B25D916540EF8F10AED8C97F9D99E91A9CF22669CB2D7C370B79D350B6633
SHA-512:	10D0D076DCE446ABA3E8CD8107D067E0E2E4B3D39A4DC303C173EB506D3ECB0FB664C162572CBBD3CD950CAC2402CA6B5525540945B4CFB40D0C8F85465C757A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{._...........!................` ... ...@....@.. ...............................%....@.................................. ..J....@...................!...`..........n............................................ ............... ..H............text...f.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................F ......H.......4c..................'............................................{...."..}.......J.(.....s....(......0..^.......~.....-P&..-N&....-%&&..~....-..,...~....-.s.............( ...+..,..,..-..(!......~.....+..+...........2@......N........s...........{...."..}.........{...."..}.......j.(......(......(...+(.....f.(......(.....s#...(.......0..O........-8...}.....,....}......($...}.......}.....-...\|.......,.&&..\|....(%...(...++...0..Q..........}.......}.......}....

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1117960
Entropy (8bit):	7.4252317993938615
Encrypted:	false
SSDEEP:	12288:nw9ybdGn5qWXPzPPcJx+PustMhb3NxGustMq4+bgJWvmfm3uul9aZj:gqunzPK+PJMhLGJM4VVuul+j
MD5:	5471ED47B6F06442A0B7C5F1AE58F470
SHA1:	0807121AC3587749620DEC072E10DA6A42DC79D3
SHA-256:	1F1F47E16E1A4DCADCB1FFF17F9781A6B67C1AE57B89AA34A9221C9458967674
SHA-512:	24F68B137941CF886FACE8F64544A47B4812DB2357978D82AA2B3068DC377F5441428F2BEB6078E721EA789271ED70BD264D792DA97DE46E0F511978EDA917F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{._...........!................:.... ... ....@.. .......................`.......?....@.....................................J.... ...................!...@..........p............................................ ............... ..H............text...@.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......,...............................................................>. 4......(....2......o.......j.........-.&&&&&&&o....+...0..1........o.... ....(e... $...........%...%....o ...t;......F....-.&&&o!...+.....("...6.(#....(........($...>...,.&&(%...+.2.{....o&......R.{......-.&&o'...+....2.{....o(......R.{......-.&&o)...+....2.{....o......R.{......-.&&o+...+......-..,..{....,..{.....,.&.,....,.&&.-.*o,...+.(-...+.....0...........s....}......:X...&.{.......

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	407832
Entropy (8bit):	7.140816953030626
Encrypted:	false
SSDEEP:	6144:z5BB6PXMEWHkdWw4HMFRdz5Tased/1yhPOfWqr4TpsV1Jm/gFI+HjFMh3zYAtwU:A5TpPaVd/1yAfFrXnm//+hM1
MD5:	57CE9C8B4ADF608B02C8AD2D4E0751E9
SHA1:	5EA5E6478DDD0154A71EAAF90C9252FF52A9636A
SHA-256:	83B6D3456220E19EEE41A4C9C8FDFF7F7EAD46B05D82D10AD462E0B13F650F0A
SHA-512:	E3098AD3398F2743902C07B064E8703623F3E40A86EAC642221F2A413132DE26043FFAB78D8FEAC944BCF2D295C33A53747C8FD980F4C658B2BAB89AE2546168
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... \...........!.....$...........C... ...`....@.. ....................................@..................................B..J....`...............,..............HB..z............................................ ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc.............................@..B.................B......H.......p............... ...(^...........................................(]...(h....0..J........-:.-..{.....,/&.,&..-&..(#...t.....-.&.\|......(...+.-.&..3..+..+..+..+....0..J........-:.-..{.....,/&.,&..-&..(%...t.....-.&.\|......(...+.-.&..3..+..+..+..+.....{......,..-...}.....{....,..{......,.&&.-.o&...+......{......,..-...}.....{....,..{......,.&&.-.o&...+......{...."..}.........{...."..}........0..L........('...}..... .... .... ....((...}..... .... .... ....((.

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.38479138315468
Encrypted:	false
SSDEEP:	384:WNOnOMI6lB4lrRP5b1CiZx7/3OVCQGafO9Tj2tHNtq3loMBExc6lHZIl4i:Vq6lBQP5b/xgteN6tZIb
MD5:	94AC39F544E71724A924B97C37D3154F
SHA1:	E62814A68FAC2155E368A4ADE1EE588E669F0B19
SHA-256:	2CD1570D7FC31962DA20A81BF90B1BE1C3D12D0F8F8FDBF23EDFD8CF38D70754
SHA-512:	E32F92C2606E9CE45BFDF50EF9BF83D77E32D391A7231F8B02F7094FBDE34913118389CF5BD929CC6B78BDA3885A1F2988A86CFD046AB7F67EEF7837E7E4676E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#. \.........." ..0..B..........:`... ........... ....................................`.................................._..O....................................^............................................... ............... ..H............text...@@... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B.................`......H.......\..../...........]...............................................0...........-...................(.......+k..(........u..............-....(...+.......,:+@.(....-&..u........,#..o.....(....,.........+.........+...X...2....(........0..0.......( ...,.( ...o!....+.(".....-.r...ps#...z..o$...6..o!...}....V.{....,..{.....o$....0..)........{%........(&...t......\|%.....(...+...3.....0..)........{%........((...t......\|%.....(...+...3.:.(......()...V.(......}.....()..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	109568
Entropy (8bit):	6.129398364225437
Encrypted:	false
SSDEEP:	3072:3/4W2Yym7OhC9+UFfaonoq103VtBwIoOZPdbA8:PFjnFhC/wIoOZPdb
MD5:	0D5774A493CCD50641495391784AD861
SHA1:	D1C5FD350C65A66C0844711C4863A84EC3A9B3F8
SHA-256:	3ED72DF410BD5722883C246AB5C030B836CA7981C97851792180A714B05B3CE6
SHA-512:	A811C7EFE41A94007838EC6FB2432D1C44513D25F4A98B7FD8BD5FDF0D749959F183FB3840475CF7955F145913CB347B6A7A903D31578AADFE2D05AD11213D4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&. \.........." ..0.................. ........... ....................... ............`.....................................O.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........m..h............'.. .............................................(.....~....-.r...p.....(....o....s ........~.....~............~......(!...Vs....("...t.........F.~....(#...t....6.~.....($...F.~....(#...t....6.~.....($...F.~....(#...t....6.~.....($...F.~....(#...t....6.~.....($.....(%....0..........rI..p.....(.........(....(&........rU..p.....(.........(....(&........rk..p.....(.........(....(&........r...p.....(.........(....(&........*F.~....(#......

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2016008
Entropy (8bit):	5.5791030321884385
Encrypted:	false
SSDEEP:	12288:Vp7KP9xfvtustMIustMc+bgJWvIfx1aAustMNgt2GMv9lJag:y9xfvtJMIJMVV0JMNgt2FVlQg
MD5:	64FA128F137A7AEFCFA59744C6B17A75
SHA1:	FEAFF1A8015F816ECE1EA8CC808D6EB7BDF8A062
SHA-256:	3353B7DE4462FE26F0C481743861647B1E71AE534186333AD1BC9640F84C54E3
SHA-512:	636597B67F9F4ED2E89170A367C3C1010844F235B193EBB1CBF05A28C88E27AD01415E1AAB79812F75F5ECB23C5BA234C3BA441D036862EC42251A326CA37A10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{._................................. ........@.. ....................................@.....................................J........................!..........M...\|............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(y..........N.......QW............................................{=.....{>...V.(?.....}=.....}>......0..J........,%.u.....-;&.,/(@....{=....{=...oA...,.(B....{>....{>...oC....%-.%-..+.... ).].%, %,. )UU.Z(@....{=...oD...X )UU.Z(B....{>...oE...X.-....0..s........ ....(..........%..{=....,Q&..%q.........-.&.+.......o.....%..{>....-)&..%q.........-.&.+.......o.....(F...*.+..+...0..).......sG....:....&.~....%-.&~..........sH...%.....(...+,..(....oJ...&.~....%-.&~..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	5.029469257531877
Encrypted:	false
SSDEEP:	96:4e7127nrxYKkrEHqf/1TN9HQiEQipQcpPUR:4e707nr9GdQ/QGQEP6
MD5:	3DDE769A224B2C7D4C63FD8065C80E36
SHA1:	5EE7A02A5B4492E0D8E272276D4A9A4C07322386
SHA-256:	7C5DDC1A13514A181A10BF816C38EBB6EBD5CBD166374A361D854A77B43C7DDD
SHA-512:	D876420BCFD3F7E154F507C62EEE7BFBD9AF3D45A3F0941A69B65BF40B993A80D0DAC38B507BE1F7A85D1C247426D1EF9171615B5652A3D10BA565001857D27C
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">.. <section name="C2ADPhotos.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Windows.Forms" publicKeyToken="b77a5c561934e089" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.codetwo.com/freeware/active-directory-photos?sts=1327>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.736919060585886
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4cR52r0QKEGMTjp5Iv:HRYFVm/r4cKr0QfbTd5S
MD5:	3D3EB8CFAA2B79D009A2573E0B2AB8C6
SHA1:	457C4AB0AA5083B2A3464420D534DEF28F999AEE
SHA-256:	90204B38EC58321EFD6D6A282868A67EC17B7242E301C09605EF6C951CBEFB88
SHA-512:	313CF5EA8871A4D8109DC5DC872E383C9DBC8577A37844986CB82B18759BE320DA75D6D9C3C12239C2FFA7A743FB0AE857DD24C54EE54E3D3EBA5408F0F36D88
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.codetwo.com/freeware/active-directory-photos?sts=1327..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.codetwo.com/userguide/active-directory-photos/intro.htm?sts=1327>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.742312405998409
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4cR52WQA3ojiRXK5ALv:HRYFVm/r4cKW/Y2
MD5:	D63EA42C911B506BD4A480DFB5FE952A
SHA1:	E6784738F569D91C9BF3889FC3CD4AAB771E8EB4
SHA-256:	D3D6740CCAAF25085B29DE3FCA28EBF5B63BC93C19C08F62C70697BCF91EB7AA
SHA-512:	B616100F7FC83564BBF1514CA2180FED22C87ECC9F3AC26D79D0D753C654C6CCD752C96E0D1E61BC93DF2BD2480FF3B1F2F2F07DC56C32725C62A0BF84C7C715
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.codetwo.com/userguide/active-directory-photos/intro.htm?sts=1327..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45848
Entropy (8bit):	5.885148440749969
Encrypted:	false
SSDEEP:	768:vsi33kjxl6ewjCHmUWGygMOKQJwGN6MF1pXXB8KUIz9Gm:v333kjxYPOHmJQJKQJwe6cXbzf
MD5:	13662EC5D6803038105FDF472DF64C6E
SHA1:	BF91FF7DBF0B1B3FD3EB5A0CD08A70903CF0E43E
SHA-256:	E5A86180BCB2D9EA8373C9A72647F4553EC77180B58C8E407B4875B62B8464BB
SHA-512:	86E694A83C6C8A8CBC7E5A02860067E9FEDAE3391360C2D2929B97B08CCB6EF88E3E721EB147DB51E94248105AD567D8C0F9DD64C6CBBEB8E24B43EE1580F628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... \...........!................I.... ........@.. ...................................@.....................................J...................................z................................................ ............... ..H............text...O.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................/.......H........O...j..........\|.................................................(......}......}.......o....}.....r.(......}......}......}........0..C........(......}......}......j.o....&.o........5...}......{......io....&...{....,..{.....i./..,.r...p.,..,..{.....{....o.........{......{......{....J.{.....{....o.....V.(......}......}........{......{.....0..(.......( ...o!....,.&r...p.o"....o#...($....+.Br...p(....(%........(.....0..J........-:.-..{.....,/&.,&..-&..(&

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	5.764322766423051
Encrypted:	false
SSDEEP:	1536:Ae92sY4pn+V3SugaaD8IakCTKv6gWbFaf:AArugaaSkC+SgWbFaf
MD5:	1EB87636A43D08800290D8AB8744FDEB
SHA1:	4D7F9BB898B1B368233298FDCEB6F2A0F7728B63
SHA-256:	6A3EE94DA8A98C2FF8A05601C3E2CF6D702A59021857058C984190F021E41A23
SHA-512:	6B6B4D4B97F8052FF9C6E1D9ED2927B3CE7CCA2FCCF0CD9582E47DA47E518905758E319A8ECC7481B7AC06511CA352384936FC0760295A7912307DD98A177B7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... \...........!................5.... ........@.. .......................@............@.....................................J............................ ......h................................................ ............... ..H............text...;.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............]............................................................{......{......{......(......}.....s....}.....s....}........0..N........,6.{....sr....-,&..-&.-...ov...}......}......oq....-.&&.-..+.ot...+.(....+....0...........-..o.....:....&8.....-c..(.....:....&.u....,O.u.....-w&.o....,W.{....-..{.....o.....-]&&.,.+..{.....o.....-N&&..o.....-I&&+..(6...,...}.....{....o......(....:r....,..2.8x....8....o....+.o....+.(....+.........o.....,...8/.................

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1356056
Entropy (8bit):	6.749366950173903
Encrypted:	false
SSDEEP:	24576:Qj5kTQgo0p4zsxIoAWAQrojx3ov5cwf0wV9:vJKwIoAWKob59
MD5:	923F8F8F7A4A8A296D2CF3494DB5787E
SHA1:	7B6A6D78125C8AA7E2FB597AA6D0ACD88AEE92B3
SHA-256:	3705B47A302AFE22823522E4A48FFCEECDD1F3B15A6D1A04C0048720020F5260
SHA-512:	9DD698F135D193BD99AEE20F0C6951711CC02886F9A4EF72339960AE8BB48C5643975639F02A104399797D91291E7ECBE4749D7D0CC4CC69A303E1C6448EE7B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... \...........!.................... ........@.. ....................................@.....................................J.......r............................................................................ ............... ..H............text....... ...................... ..`.rsrc...r...........................@..@.reloc..............................@..B........................H........p..l...............3...........................................0..J........-:.-..{.....,/&.,&..-&..(u...t/....-.&.\|......(...+.-.&..3..+..+..+..+....0..J........-:.-..{.....,/&.,&..-&..(w...t/....-.&.\|......(...+.-.&..3..+..+..+..+....0..\|........s....}......}.....(x.....(.....(......{....s....}.....{.....oy....(......&...{...........sz...o{....{...........s\|...o}.........B..J......2.{....o~......R.{......-.&&o....+......{....R.{......-.&&*o....+....N.s.....

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	5.731652742599372
Encrypted:	false
SSDEEP:	384:GjWN2ANYA0c5MXy2iir8S3k3RndCSYPbghnMDNg3laGiYvXMdpNvWhpdFud5GP5m:GjAVYA0ilHiHCrYM2DNwaGxXupNM4G0
MD5:	65C3D83E93BF993B5030162E6567F499
SHA1:	E846941C872AA7BC43841715D7097074B89A1229
SHA-256:	50BEFBC170A5BBADDBD748519E0887CDF0D2859356AD8D989A13D4EE5583A83E
SHA-512:	6747F54E1B5E88E59215D7E89DF673346163EBFA20CB6D904344644A542EC94CB7135A06691BFBB7F56B143C659F21556030F9170F0D12C0FB3BCD6A7FB58A42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... \.........." ..0..`..........Z~... ........... ....................................`..................................~..O.......4............j...............\|............................................... ............... ..H............text...`^... ...`.................. ..`.rsrc...4............b..............@..@.reloc...............h..............@..B................<~......H........+...N..........hz..h............................................r...p.s...."..5.......(....:.(......(......{...."..}.....r%..p.s......{...."..}.....rO..p.s........(......{...."..}......0..Z........{.....0.rw..p.o....r{..p(......-...%.rw..p.%..o.....%.r...p.%..\|....(.....%.r{..p.(......{...."..}....zs....%.( ...o!...%.(....o.....r...p..~ ...}.....(!...o"...}.....(.....(#...}.....(!...o"...}......{...."..}.....0...........{....($......&(!...

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	136472
Entropy (8bit):	6.092549311331142
Encrypted:	false
SSDEEP:	3072:un636pbdCWFeDX+P1YksCt0KHpTLZDF2+jepQ:86Kpbd5YCP1Yk3t0GrjeO
MD5:	0936FD6A6D144B7B93D34C0A5E5B4A7E
SHA1:	0D7C9B8D8339B2F59D8133A43778909679536994
SHA-256:	3B362CD97D93A37E70762183FAF42BCFF4E2E2B104FBDA95FA87F3A66C531CD3
SHA-512:	8BA849EC81BD98FAD9CEAFF15F52BCF31E41A1EFFCDC5CA487B15E293A011011722E6A28895C86E5FEDF8E4E3154019AA24757974DE9E780C773C19E011110E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... \...........!................[.... ... ....@.. .......................`.......s....@.....................................J.... ..:....................@....................................................... ............... ..H............text...a.... ...................... ..`.rsrc...:.... ......................@..@.reloc.......@......................@..B................A.......H.......`....................?..........................................J.s....}.....( .....0............9....&.{.......o!...-ys.....9....&..o"....9....&&.-..o....-..-m..o#....:....&.o....-%.-6..,...r...p.9....&&..o.....9....&&.{......o$....o.....o....-..-...,...r...po%.....o....-..,...r...p.o.......(&...('...o%....o.....o#...o.....8.....8,...o....81....8H...o%...8\...o....8a.....{...."..}.........{...."..}.........{...."..}.......r.( .....(......(......(.......

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48920
Entropy (8bit):	5.898661223175348
Encrypted:	false
SSDEEP:	768:DnicCCpU0kzBCTyZLF65mn1o9/37bZZ3aLd4qPAPkuBahlauyjM8RheGFL:WjzBCGT8SoV3xILSqIPUhlauKRh7L
MD5:	98DE435E6E2A8CE06470570743EEC1A1
SHA1:	521C6FBBEAA8CF92D6C80B7B32FB107AF0772A47
SHA-256:	478086E4F11CA511F640BE2E81662B06B1C623E7139FB55BC48FA48D8D662FB9
SHA-512:	1A77D97EAAC54A5C051AD9614EE41777492843282A9EC75F1260D859CEDBB52A9AFA1B0F006FB87CD14EE09D513CC8FB5261EED333E486F910A427F64ED0C9AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... \.........." ..0.................. ........... ....................... ......Ia....`.....................................O...................................\................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@E...{..........,...0...........................................f.s....}.....(......}....F..(....-...(....6.{.....o....N........s ...(!...^("....o#....o#...o$.....{......{.......0..z........(.....+..o%.....o#.....(&...-....U.o'...-....,..o(.....{....o)....+...(....o(.......,........(+...-...........o(................&-........C.%h......2.(,..........(-.......0..I........(-......D...%.s...(....o/......+ ...o0.....,..o1....1...(2.....X....i2."..(3......0..

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	5.950648002504901
Encrypted:	false
SSDEEP:	6144:tRf67MjJ0dZc5ORfTRYDQ86iltEdW3izrC:tRfqMjJ+FRfT2HiW3i
MD5:	680BB537BA340E2790541C7B58021BBD
SHA1:	8B024C3B88AD508953F383FB301FCFF445BEB4FB
SHA-256:	22415CD8B40009C879E2030A178DBBC4A107B487B32CEBE3CA540A03733BB0DD
SHA-512:	5C8FA2E5312E3D6219C07E81C3470CF09DE14F743EB5E63ED19118001F143F26426375F0C9F079130DD4F94642FDABC3B63395AE6F22EABCBA80F9A16F22BA79
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!..... ... .......3... ...@....... ....................................@..................................2..K....@.......................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	6.19966333709581
Encrypted:	false
SSDEEP:	24576:gG9xcA4U6OsPbkGLAl9gS8/yPNLA1k31lZ9F7TFSQIc9:gG9xci6OsPIG8rgry/3fjF/cQ/
MD5:	BDDE025F9C20E701C4ADFC7BD1B486E4
SHA1:	79D15C7030D56167A81ED2CA90CE2FC7EDFFB99E
SHA-256:	A706898017D1C0744E0CCE10744455E75766E181362B5AACF319A4A2AB663652
SHA-512:	CE46996CBEEEE9E44328F1DD48EC0CF0387BF2913B0644FBB07607960C8CB961B1354280D8C5E2200555BB7ACB7D0461E9A78DB0527AAD29DACCB687140115FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................s.....s.....(....(.....~....s.Q....s....s.....s...Rich..........................PE..d.....bL.........." .........$.......$.......................................@......dF...............................................o.. ....G.......P..`....................0..........................................................x............................text...Z........................... ..`.rdata..0...........................@..@.data...p8.......&...`..............@....pdata..............................@..@.rsrc...`....P......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1035776
Entropy (8bit):	6.188949511263623
Encrypted:	false
SSDEEP:	12288:XVEgJFyjXZZKvvtg79USNZQIUditl1L9BTNn9WS5+i3/2G7J/0kbCLrvLSRz1I:XVLFyjXWlg1QIUd5s+1G76HLrvLSR
MD5:	40CC174FF9A069BE60BF4670D365C6BD
SHA1:	5B37A303F804EC11BCC88E068075EF551A679F23
SHA-256:	54F7CC1E03D63C74ED0373EC814628211D47D8DA2F4D194599B355035F65D5E0
SHA-512:	E980DEB5AE7AC13054BC2EA42455AC45227E2CF7E99DAE88A495A4E83135E7300F6A185272288FCD2EF86E0792C27735DCB568D1B7E9F4EFF88EE70DE6272772
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................P.....P..........................P.....P.....P.....P.....Rich....................PE..d....DQL.........." ................@........................................ .........................................................u...<...d............0..................X.......................................................x............................text............................... ..`.rdata..e...........................@..@.data... ~.......\..................@....pdata.......0......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	328192
Entropy (8bit):	6.147477767704157
Encrypted:	false
SSDEEP:	6144:6kgRUYwAwzo4p93/gHtuP9xxpCh8lphEM9GP+XVlQ/fTnW5h8ZOjRDHOe:6kqU1atuvHttQnTch8b
MD5:	D2E83C2F32447A19553C3CAE6A179C46
SHA1:	27188BB508BECB60BAE6424DEEBD6C09A06FF6EB
SHA-256:	455E9872DB6CA8AEC0EC39FFEF26604CA121B7A5CADE2B2C42E97042E197D22E
SHA-512:	763AC73D8793774BB90E77B63236781FFE4F78456C0E3643E6C75DA84042D419A6DB7C9E91B60DB94BCE402DC8EE8D3932DCA59B8D43A82DA0DF55CA503B852E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..,.q...q...q.. ....q.. ...Iq..q....q...q...q.. ...Bq.. ....q.. ....q.. ....q..Rich.q..........PE..d...o..K.........." .........D......p........................................@.........................................................o...\|v..d.......h........:...........0..X....................................................................................text............................... ..`.rdata..?...........................@..@.data....0....... ...~..............@....pdata...:.......<..................@..@.rsrc...h........ ..................@..@.reloc..~....0......................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\MSI Cache\{C1FB6A80-5028-4922-AF16-C3A9EC1C5379}\C2ADPhotosSetupENx64.msi

Download File

Process:	C:\Users\user\Desktop\C2ADPhotosSetupEN.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	7925760
Entropy (8bit):	7.555559749477411
Encrypted:	false
SSDEEP:	196608:EGx5D0SRosIfC9qzmILB4uXtx0Tc2bhid7:EGx1rr9qzmIl6S7
MD5:	F921051C82D6695B6303B247BCF4F7F0
SHA1:	3C8366272AD9DE7D33D140B254ADD3D0DB28E732
SHA-256:	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
SHA-512:	EEDB2DEFF2979F13B2D8AA020D483480EFFFE645B26E6B780445A718DFA7385BF66ACDC2154506C48E91B06249D1A44DDD722498BA5020E6C2F3151D74745019
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Jan 5 17:46:20 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Tue Jan 5 17:46:20 2021, length=2016008, window=hide
Category:	dropped
Size (bytes):	1338
Entropy (8bit):	4.539272104968289
Encrypted:	false
SSDEEP:	24:8HxoT0d5RvrMVvgYMTXFATofEfsWlEfsWMdwTYJf2yfm:8HxoIdzvrYvxroE9E0das
MD5:	FC9D9614A0A2645A5BE6BC58859250F2
SHA1:	7017CA97685A65193B5CD883DF5E5519ACE5982A
SHA-256:	FE2366453901B8C24B63329112CF43DF96E6EC022FAD30B55BE916AA51EFBD72
SHA-512:	571C57DA61916355D3217E8080C6555647B386AADB119B8655D879CC27E2705D8610339B1E76A689A397E711E24F5A3BDC4CA12232E9B7FDBE572857907BF9C5
Malicious:	false
Preview:	L..................F.... ....&.......?..&...&..............................-....P.O. .:i.....+00.../C:\.....................1.....YYxt..PROGRA~1..t......O.IYYxt....B...............J.......P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....V.1.....YYxt..CodeTwo.@......YYxtYYxt............................C.o.d.e.T.w.o.......1.....YYxt..CODETW~1..p......YYxtYYxt..........................NeU.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.......2.....%R. .CODETW~1.EXE..x......%R.YYxt..............................C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s...e.x.e.......................-...................%._......C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe....C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.n.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.d.e.T.w.o.\.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.\.C.o.d.e.T.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\Go to program home page.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Jan 4 13:39:22 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Mon Jan 4 13:39:22 2021, length=90, window=hide
Category:	dropped
Size (bytes):	2258
Entropy (8bit):	3.638582495301406
Encrypted:	false
SSDEEP:	48:8AoIdzvrYvxKvS1g0gnKEiwdf5nJeS3SCOWnz:87tm5dOW
MD5:	7BBA90F76C26C8F2D427B99CD9C12ABE
SHA1:	371DC3C3216A3ED0BFDA89483851DEBBEFBB7721
SHA-256:	2D25AB0996C13DE6494AE340BF39B0428ACDA7115B1C47B5B4700834DDCC1DDF
SHA-512:	AFD3B664F9B22CC45BD283BF55BD081B1096913D9042BA876D0C6894D846FE70472787DF3B3936735A8DE89D15AE8155FE073D32ADDDAB52E8604ED169BB6F5E
Malicious:	false
Preview:	L..................F.@.. ......d.....@=..&.....d....Z.......................M....P.O. .:i.....+00.../C:\.....................1.....YYxt..PROGRA~1..t......O.IYYxt....B...............J.......P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....V.1.....YYxt..CodeTwo.@......YYxtYYxt............................C.o.d.e.T.w.o.......1.....YYxt..CODETW~1..p......YYxtYYxt............................W.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.....N.1.....YYxt..Data..:......YYxtYYxt............................r.D.a.t.a.....f.2.Z...$R.t .HomePage.url..J......$R.tYYxt..............................H.o.m.e.P.a.g.e...u.r.l.......y...............-.......x...........%._......C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url..).C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s. .h.o.m.e. .p.a.g.e.\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.d.e.T.w.o.\.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\User's manual.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Jan 4 13:39:22 2021, mtime=Fri Oct 25 13:35:47 2024, atime=Mon Jan 4 13:39:22 2021, length=101, window=hide
Category:	dropped
Size (bytes):	2233
Entropy (8bit):	3.6554805321256905
Encrypted:	false
SSDEEP:	48:8UJoIdzvrYvxbvS145uZpEJdE5nJeS3SCOWnf:81ovf5dOW
MD5:	1542C0793B3D38644644A7B855D83D4E
SHA1:	CC68641C598BBF997A7EEA2F17B3AA208B0A4B62
SHA-256:	96B7C561795C334EC1457E7A27202692E53030A76272CB9EBF4C08B03887E18A
SHA-512:	A8AF88A4A0C502602469C9B548E50F2C1F631D75E783C092BF796BB6516E02BBE517180528243F660BD36D0FC8A717FA470202565AFDFFDD85C8DF4DD2681CDD
Malicious:	false
Preview:	L..................F.@.. ......d....N,I..&.....d....e.......................W....P.O. .:i.....+00.../C:\.....................1.....YYxt..PROGRA~1..t......O.IYYxt....B...............J.......P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....V.1.....YYxt..CodeTwo.@......YYxtYYxt............................C.o.d.e.T.w.o.......1.....YYxt..CODETW~1..p......YYxtYYxt..........................NeU.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.....N.1.....YYxt..Data..:......YYxtYYxt..........................;.f.D.a.t.a.....p.2.e...$R.t .USER'S~1.URL..T......$R.tYYxt..............................U.s.e.r.'.s. .m.a.n.u.a.l...u.r.l.......~...............-.......}...........%._......C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url....G.o. .t.o. .U.s.e.r. .G.u.i.d.e.a.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.d.e.T.w.o.\.C.o.d.e.T.w.o. .A.c.t.i.v.e. .D.i.r.e.c.t.o.r.y. .P.h.o.t.o.s.\.D.a.t.a.\.U

C:\Users\user\AppData\Local\CodeTwo\AD Photos\Cache\items.xml

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.073092818642659
Encrypted:	false
SSDEEP:	3:JLWMNHU8LdgCJEaAs5SRdxiJS4RKbuviyiFdyvDmJS4cR52On:JiMVBdvAfNic4subin4mc4cKO
MD5:	E5283749F663531FA1BA55EFE9504E86
SHA1:	545F5604907CE20D13570BEA7EE7EDBCBC3FAD27
SHA-256:	BE283CEB10397D91744AEF95AAD260C8ED64F7068AFB591986AD59B5ADA3C3C3
SHA-512:	EC8AF599422EF727F67BB714588B889226BFF0555C300603E0757BD2F8B9378D5F35FFAA075F49A74BA174443FCEF0295894569328587A0478C340D38EA7C19F
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><PhotosCacheItemsCollection xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.codetwo.com" />

C:\Users\user\AppData\Local\CodeTwo\AD Photos\Logs\2024.10.25_00001.txt

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.618916705288183
Encrypted:	false
SSDEEP:	24:uojSvwApm+xDE6r0poawoHc9fLCa6l5onc1mC0P3HA:D9mrxv0lVc99hPw
MD5:	75FE33C85F4ED2C8E3BAC0B993FA3BC4
SHA1:	16ED3829D9A6C860D5BD75260F4733858E517AA3
SHA-256:	190057164A96FD9E84783BC9DBD19B190ED588A54014D4892A7CBC828087E4F8
SHA-512:	4141F18F8277E0F053065EA1FA6124A22251BD323D2AD81E367C802EC5A866E8EBA2DCDA1D4945C10E1DF4E9DA00425A473D6E6FCC1B5D46A08C23D054184ED6
Malicious:	false
Preview:	#------------------------------------------------------------------------..#..# CodeTwo AD Photos 1.4.0.0 Log file..#..#------------------------------------------------------------------------..2024.10.25 10:35:55 0001 Error: Failed to connect to Active Directory. Make sure your computer is added to an Active Directory domain. System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest... at System.DirectoryServices.ActiveDirectory.DirectoryContext.GetLoggedOnDomain().. at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType).. at System.DirectoryServices.ActiveDirectory.DirectoryContext.isRootDomain().. at System.DirectoryServices.ActiveDirectory.Forest.GetForest(DirectoryContext context).. at C2ADPhotos.GUI.CMainWindow.#YYd(Object #de, EventArgs #ee)..

C:\Users\user\AppData\Local\CodeTwo\AD Photos\Settings\settings.xml

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2257), with no line terminators
Category:	dropped
Size (bytes):	2260
Entropy (8bit):	5.093303478118271
Encrypted:	false
SSDEEP:	48:3TMiwk68e5sWuWSYne5sWuWGicOBPOBQrOBxOBPO4jP1a:IiwkxaLnakNOBPOB4OBxOBPO4D1a
MD5:	789E83387FB350BC1299926726F17870
SHA1:	BFE54EEDB71BA4DD2CFB595D8C32F5651F613B31
SHA-256:	E947396D67C9D74FD2669F20AD54C1B0D4D6B38D8293105D73558D8BB55F25DF
SHA-512:	65DEAF4075890A7D1A7202BB613FF33CD0C481658292B67E3AD8CED2B47E5342B03207376B10DB368D566758D50D32DA324C7A4B577BAC7DEDB68512F734AC60
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><Settings xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.codetwo.com"><Settings xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><d2p1:anyType i:type="FiltersCollection" /><d2p1:anyType i:type="CContainerSelectHierarchySettings"><Hierarchy /></d2p1:anyType><d2p1:anyType i:type="Transport"><ExportPath>C:\Users\user\Pictures</ExportPath><ExportPattern><Content>{First name}_{Last name}</Content><Placeholders><Placeholder i:type="PlaceholderSenderProperty"><ID>0</ID><Formatting>DoNotChange</Formatting><PropertyName>First name</PropertyName></Placeholder><Placeholder i:type="PlaceholderSenderProperty"><ID>0</ID><Formatting>DoNotChange</Formatting><PropertyName>Last name</PropertyName></Placeholder></Placeholders></ExportPattern><ExportTransfer>OnlySelected</ExportTransfer><ImportPath>C:\Users\user\Pictures</ImportPath><ImportPattern><Content>{First name}_{Last name}</Content><Placeholders><Placeholder

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CodeTwo Active Directory Photos.exe.log

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3340
Entropy (8bit):	5.356953779821911
Encrypted:	false
SSDEEP:	96:iq+wmj0qCYqGSI6ou/fmOYqSqtzHeqKkxi0JqTmqYGqZ4UqqX:iq+wmj0qCYqGcn/uHqXtzHeqKkxi0JqW
MD5:	64AAEC71CAF0F79C3FEB2439F2F92736
SHA1:	846F7215194EB81ECB67CE629027A10BFE465D3C
SHA-256:	B02B633DB61F003025CAE887B89C8E367EDE606F08EFD3AB41EFB4BE9BAF1D66
SHA-512:	24FDF648636142B15C26E13630C1777807B5417EADE71C54C6AB8C7C58B26C063C26B3312B4F99B2EA2500216FC67602235C6FA8EDFCA47BB941D310B68819AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBas

C:\Users\user\AppData\Local\Temp\CodeTwo Applications Temporary Settings\faa7d046-c44d-490b-a4c4-4530272bb092

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	data
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.457430466319189
Encrypted:	false
SSDEEP:	24:ZK3MBYE40E44wUK+xMBYE40K+xMBYE4bbhS4OE1qE4+ME43+HPQ3+UneUFJU:ZCWYH0H4tvWYH0vWYHbbXl1qH+MH2c+x
MD5:	A6129431F10D1280D1C4A4DBD84F2B49
SHA1:	07AA02F441B530DAB1B81DA0ADBB28F125E0EFBC
SHA-256:	2F686E1A54532DB9D10EDB372ED0AE0DCB2B256EDAD1580941AA9F21E320AE20
SHA-512:	7F29374177C55FBD4F05D2E7CC1122663732ADD9AFD1A2707AB7DBB9FEA96C42DF9860D867EF4F61320A9AFFBCDB49C123EF8747635056DF1B33EB17679E8EB9
Malicious:	false
Preview:	........................System.Collections.Generic.Dictionary`2[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].....Version.Comparer.HashSize......System.Collections.Generic.GenericEqualityComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].....................System.Collections.Generic.GenericEqualityComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]...........................AC2.Common, Version=4.51.0.0, Culture=neutral, PublicKeyToken=null.....QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.....WSystem.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089..... C2Common.CPersistWindowStateInfo.....<Bounds>k__BackingField.<WindowState>k__BackingField...System.Drawing.Rectangle....$S

C:\Users\user\AppData\Local\Temp\MSI9BE.tmp

Download File

Process:	C:\Users\user\Desktop\C2ADPhotosSetupEN.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107008
Entropy (8bit):	6.5209930454984955
Encrypted:	false
SSDEEP:	1536:toaJaEnqCHTMMYrPlF6iztKyOuEG/n4R44NCUIsWK6cd48JpPpxBAAH:CaJvTKlkihKyOeGNbb48rPpxBAAH
MD5:	F54BFFE4D54C0B794C5389BD2C7BAAC2
SHA1:	C472C6A4BD6510B02244D53819EF07882BC101E0
SHA-256:	3C06F5BECA24D0EDAEB63BDD5E671386FFC66807E323BA6BCB893260EB52D433
SHA-512:	A722D4770D605D489C14FDE532CACD031B11467041C5FF304C4C63A95EFC21896996CC6EEEF45BC462F7C72361763885F763ED732B75436E4BD191EEED829441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>8.._V.._V.._V.I..._V.I..._V.I..._V.n?U.._V.n?R.._V.n?S.._V..'.._V.._W.8_V.D>S.._V.D>V.._V.D>..._V.._..._V.D>T.._V.Rich._V.................PE..L....G.Y...........!.................5....... ............................................@......................... ...\...\|...........x...............................T...........................8...@............ ..(............................text...[........................... ..`.rdata...t... ...v..................@..@.data...X"..........................@....rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\431a48.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	7925760
Entropy (8bit):	7.555559749477411
Encrypted:	false
SSDEEP:	196608:EGx5D0SRosIfC9qzmILB4uXtx0Tc2bhid7:EGx1rr9qzmIl6S7
MD5:	F921051C82D6695B6303B247BCF4F7F0
SHA1:	3C8366272AD9DE7D33D140B254ADD3D0DB28E732
SHA-256:	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
SHA-512:	EEDB2DEFF2979F13B2D8AA020D483480EFFFE645B26E6B780445A718DFA7385BF66ACDC2154506C48E91B06249D1A44DDD722498BA5020E6C2F3151D74745019
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\431a4a.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	7925760
Entropy (8bit):	7.555559749477411
Encrypted:	false
SSDEEP:	196608:EGx5D0SRosIfC9qzmILB4uXtx0Tc2bhid7:EGx1rr9qzmIl6S7
MD5:	F921051C82D6695B6303B247BCF4F7F0
SHA1:	3C8366272AD9DE7D33D140B254ADD3D0DB28E732
SHA-256:	1967FD37FA1B14D601FC78BBA20F3B177B264E0C45EA8A828D74CC43A2D3103A
SHA-512:	EEDB2DEFF2979F13B2D8AA020D483480EFFFE645B26E6B780445A718DFA7385BF66ACDC2154506C48E91B06249D1A44DDD722498BA5020E6C2F3151D74745019
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1E11.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2145048
Entropy (8bit):	6.5759673812734025
Encrypted:	false
SSDEEP:	49152:uZMgW+RFuXwIgAwir9Bnjx0Tqi8yK1B/2bhi0dnNx:uCb+buXnvZrzjx0TqiHKb/2bhiQr
MD5:	BBC21A151258F16AADBECC35D2B98105
SHA1:	BC3912A5676DA837D56FF76D07C33BFA7301CF27
SHA-256:	288F11604122D6E2A1FDC86F9B0062E43E01D7D9685375259A0119B573CA9D7A
SHA-512:	9C02FF991CDF74268C82B0B5663D50B939AE4530D206E9CC2A2C9B9D60CCB20A6DFD8EF373FECF9D1B5393113C0800C9813A8D00AD31BC16CF7F3F0B6A73AEBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........Q.o.Q.o.Q.o.....I.o......o.....L.o..j.S.o.X...P.o.X...Z.o.j.l.F.o.j.k.@.o.j.j...o...j.A.o.X...v.o.Q.n.j.o...f.T.o...o.P.o....P.o.Q...P.o...m.P.o.RichQ.o.................PE..L......[...........!.....6..........2j.......P...............................`!.....Q.!.................................P.... ..\|.......H{............ ......p.......i..p...................lj.......j..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...0....`...Z...D..............@....gfids..p.... ......................@..@.giats...............@..............@..@.tls.................B..............@....rsrc...H{.......\|...D..............@..@.reloc.......p......................@..B................................................................................................................................

C:\Windows\Installer\MSI1EDD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	199459
Entropy (8bit):	3.1035003228007834
Encrypted:	false
SSDEEP:	384:GvYWgXzjCRKVtLWWYPOVD6Wnt6U1KsfeZhS20H0IiszBpzm8aIttKDCKDBVsWWG:GCHCRaiPv2Y8e78icBBo
MD5:	78F864AA110CD579AFBF17E9BD25ED40
SHA1:	5C7DB1B259A03086394E0EF5188E65BFCF5E45A4
SHA-256:	596EE20CBE4ED6DA3C482FE40D8B796CB1D9ED8F332EAA38702C683E94D5973A
SHA-512:	3CCA1E7E0294DD6B78C422011A07E2BD8E319C9FC28C0BDB2929F23D77C3341250D82388604F3E3C32C9F128E3096767661979A0DA0B760C011D4E32A43A8A63
Malicious:	false
Preview:	...@IXOS.@.....@xTYY.@.....@.....@.....@.....@.....@......&.{A5C74DC7-9616-4A5E-846D-F56E256CF46F}..CodeTwo Active Directory Photos..C2ADPhotosSetupENx64.msi.@.....@.....@.....@......icon.ico..&.{85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}.....@.....@.....@.....@.......@.....@.....@.......@......CodeTwo Active Directory Photos......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{29BEB6C5-A856-4BEC-A3D8-BF723C93F800}>.21:\Software\CodeTwo\CodeTwo Active Directory Photos\installed.@.......@.....@.....@......&.{1EEAAF19-B2ED-4D58-AC09-0A4C7F3FFAE3}...@.......@.....@.....@......&.{C8E604A2-DD3D-420B-8F48-B55522237493}...@.......@.....@.....@......&.{7633E798-5746-49D5-96E9-8E0CC4681E90}...@.......@.....@.....@......&.{2D4F63DF-5AB0-42E8-95E8-09A39ED891CA}?.22:\Software\CodeTwo\CodeTwo Active Directory Photos\InstanceID.@.......@.....@.....@......&.{C11DFE56-311E-

C:\Windows\Installer\SourceHash{A5C74DC7-9616-4A5E-846D-F56E256CF46F}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1688767389923598
Encrypted:	false
SSDEEP:	12:JSbX72Fjn26AGiLIlHVRpDh/7777777777777777777777777vDHFIWMXfHeMl0G:JrQI5nqWuHAF
MD5:	58B1358CE67F83C19AA29C78E81EA992
SHA1:	4F898DA63A87B7C654282FBC3F5DF8928CEC44C4
SHA-256:	FD18B255AB3269BB2D0D79967C94009E37DAC2052882A305E78537F5E9632B56
SHA-512:	8D5BCA9990228ACE07DF11AD9097F60F98219F766B7F012C676E3989BE8EE18CEF252F6A4EF63B21951E112CFA59269ED1C082596870475537AF5C1F955C428F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5693393720993778
Encrypted:	false
SSDEEP:	48:S8PhquRc06WX4ynT5sYESi7QSoXdO2m9qnlxP4StXdxTQx:9hq1inTy7QznT4
MD5:	0B3E64C4ADBCDB049120DF8CD2F26993
SHA1:	054653BB088EC183AACF27D8531FAE57A81DD34C
SHA-256:	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
SHA-512:	922BCA1576E5484267F5FDBFB222668AC178D2ECB79D48A915263D3513C2A0AACF973EFE3CD7A5F3C9FBA2BDFC103DC02316E6887C7CCA9D913722628E217A20
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\icon.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	dropped
Size (bytes):	185439
Entropy (8bit):	2.657177100239092
Encrypted:	false
SSDEEP:	384:oPOVD6Wnt6U1KsfeZhS20H0IiszBpzm8aItY:oPv2Y8e78icBBu
MD5:	9500AE5294D8F000F4AA1A1F7620756B
SHA1:	EB1BB35C4F4B3E5142E55022E3BC10DCEAA320B3
SHA-256:	146BD6689CBFB474C7F4C6FE2C4F1EAECE56A803BB8988E16461E9630AD2A880
SHA-512:	59018FA51A4808683F8351EE51E22C7CD88AAE9CACB19661EB584E4999DBB05388C2C69EB0A6A613B0FD6374503272BB28BE0D475CA5F909302FE9CED227FF43
Malicious:	false
Preview:	............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..``.... ............... .(...............(....#........ .i.......(....... ..... .........................999.999.999.999.999.999.999.999.888.888.CCC.@@@.777.999.999.999.999.999.===.>>>.>>>.>>>.>>>.>>>.III.................===.999.999.999.===.............................................}}}.777.999.999.>>>.................................XXX.kkk.........;;;.999.999.>>>.........333.666.555.HHH.........XXX.kkk.........>>>.999.999.>>>.........666.888.666.777.........................>>>.999.999.>>>.........555.III.hhh.ggg.ttt.....................>>>.999.999.>>>.........333.jjj.................rrr.999.........>>>.999.999.>>>.........555.DDD.................DDD.555.........>>>.999.999.>>>.........666.777.TTT.........TTT.777.666.........>>>.999.999.>>>.........666.777.WWW.........WWW.777.666.........>>>.999.999.>>>.........333.666.999.ppp.ppp.999.666.333.........>>>.999.999.>>>...................................

C:\Windows\Installer\{A5C74DC7-9616-4A5E-846D-F56E256CF46F}\ie.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16x16
Category:	dropped
Size (bytes):	3638
Entropy (8bit):	4.454564232045718
Encrypted:	false
SSDEEP:	48:bOta08t7E/gbN1pv6uVNkHyuZZRf6ZSMOta08t7E/gbN1pv6uznp2fVew:bOtJyg4DWH9PAZSMOtJyg4DNpXw
MD5:	47AC15648F4FDCCA30A9F0892692949E
SHA1:	0BB3D452CB9A44A50A2851746BFAB3D001716D08
SHA-256:	052715BED7B8C5AE19B2F3E61A93EA56A313D3027088585E4C8A6CC1ECA3AC9D
SHA-512:	1914BAB38944958A04366FF7439F62E1ED95FBAA0B0611C814F2BABA027AAECF8D56B0026D573EC0ED5B616275B2086BA358036B93AA18B4C66974104F766B7F
Malicious:	false
Preview:	...... ..........&...........h.......(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..\|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............3...f.........ff..f.f.f....f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365495024981363
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau7:zTtbmkExhMJCIpEI
MD5:	77940E02A05F92C7233F59694DF5E4A0
SHA1:	AEC9F4B670B6F3F02126D4F9908FAE9648045803
SHA-256:	075A07FDC7F17265CC8158EDF404704C0E43957D94BB1C6EE4AD5FAA6724E974
SHA-512:	156F18513731D6B4DFF629F90FE706D826DF4BE24D65AE0293711B64F0A8BF5CF880B05356A32ECD2EED37E62342EF4764634C1D667E601D6339F280BD82BCDF
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF196D1133CD399CF8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.255746827191848
Encrypted:	false
SSDEEP:	48:L1piuKM+xFX4hT58YESi7QSoXdO2m9qnlxP4StXdxTQx:LniVCTS7QznT4
MD5:	F5FBBF4F74C87384FDC23CB077AE8FE4
SHA1:	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE
SHA-256:	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
SHA-512:	4B2D47CCDE4FF481E8D7613E1A0E7877CE6ED1FD09600F6FA8BA419289F8883046EF15538B36FD8AB4A03DC012E51A7F71F6C63857236F398408A5E6D238DAF2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3F7EAF4F5ADCC4BF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5693393720993778
Encrypted:	false
SSDEEP:	48:S8PhquRc06WX4ynT5sYESi7QSoXdO2m9qnlxP4StXdxTQx:9hq1inTy7QznT4
MD5:	0B3E64C4ADBCDB049120DF8CD2F26993
SHA1:	054653BB088EC183AACF27D8531FAE57A81DD34C
SHA-256:	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
SHA-512:	922BCA1576E5484267F5FDBFB222668AC178D2ECB79D48A915263D3513C2A0AACF973EFE3CD7A5F3C9FBA2BDFC103DC02316E6887C7CCA9D913722628E217A20
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF46FE766947CBCC9A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.255746827191848
Encrypted:	false
SSDEEP:	48:L1piuKM+xFX4hT58YESi7QSoXdO2m9qnlxP4StXdxTQx:LniVCTS7QznT4
MD5:	F5FBBF4F74C87384FDC23CB077AE8FE4
SHA1:	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE
SHA-256:	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
SHA-512:	4B2D47CCDE4FF481E8D7613E1A0E7877CE6ED1FD09600F6FA8BA419289F8883046EF15538B36FD8AB4A03DC012E51A7F71F6C63857236F398408A5E6D238DAF2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8CA88C56E74E7E2F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5693393720993778
Encrypted:	false
SSDEEP:	48:S8PhquRc06WX4ynT5sYESi7QSoXdO2m9qnlxP4StXdxTQx:9hq1inTy7QznT4
MD5:	0B3E64C4ADBCDB049120DF8CD2F26993
SHA1:	054653BB088EC183AACF27D8531FAE57A81DD34C
SHA-256:	C0CE78B0BBED0A239046BC72E79332B5798BBD8DE08EFB106EC1DE8D320AE192
SHA-512:	922BCA1576E5484267F5FDBFB222668AC178D2ECB79D48A915263D3513C2A0AACF973EFE3CD7A5F3C9FBA2BDFC103DC02316E6887C7CCA9D913722628E217A20
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF989544F757F69EF6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC740DF0614F93682.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD02EA1444F981F5D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD139A1C245630496.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD2F009AA6B86C0CE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07568355224267158
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOIWDQzbfHUoVky6lM:2F0i8n0itFzDHFIWMXfHeM
MD5:	831F5AE41136A0DEDC1ED111992EE752
SHA1:	315B3CA3D76940BC6E96FD1E143E390D455CFCB9
SHA-256:	8D3DD0F7A7A97404604A12EB3CA4138591ED1F39B91814D7AD0BF0429D8093C2
SHA-512:	A21F386CBD0283D51942C9A07649115D5D3D6715D9E91650F461DFA6EA4A7EA9FF29DC7EBEAD924CBB6024DCAB94AA64D982EF599A3EC7518EECC9C55AE50AE8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF164ACC84465A887.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.1448383829959158
Encrypted:	false
SSDEEP:	24:SxM2TmipVfU+dwoBipVGU+dwB2m9qb0OVQwGFSxkW+j+BYEPqi:SxtTmStXdZSoXdO2m9qnlxPUOYESi
MD5:	BE06243300E15D36FFAFF576EEF8A27B
SHA1:	7F719DF30C3AAA14E5D300D10700E84EBBD210BF
SHA-256:	E8F85536FDF70DF02EB15A2C30F26A3072F4CEB230A2B06373B69031FDE8DCED
SHA-512:	C0B612E663A6F0E88F74CAF67A08A4EFC8E2912656491407BA508E450AA5027ACC3D28627CD8DE5CD4133B30695B78B5A448335222C3698A60B9D8CA8A94D9F4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF2B2D8159DBF2E89.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.255746827191848
Encrypted:	false
SSDEEP:	48:L1piuKM+xFX4hT58YESi7QSoXdO2m9qnlxP4StXdxTQx:LniVCTS7QznT4
MD5:	F5FBBF4F74C87384FDC23CB077AE8FE4
SHA1:	32B35D7DDB7559A96D8C53EAB22FBF47379A98AE
SHA-256:	9BB8EFF59AEEAEB106125E9E43334E5C51C33F05F62C72F6D3CA2E3818015F12
SHA-512:	4B2D47CCDE4FF481E8D7613E1A0E7877CE6ED1FD09600F6FA8BA419289F8883046EF15538B36FD8AB4A03DC012E51A7F71F6C63857236F398408A5E6D238DAF2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF987463988E13002.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.7647085933443503
Encrypted:	false
SSDEEP:	3:5wL5I2Y1AnApC8FRR:59GAdRR
MD5:	AA61216F9A06E0243C57C05A826BAFE8
SHA1:	C18E5F4551400ECE25EF5823CD56B10AA7F99AAF
SHA-256:	AFE865F02F03167A14137DD71B672550BEF826A08B05B7A9D955E22D27A7B133
SHA-512:	F57FC20D1A43078B5F32C83159A147C42D77FB59D240B174EA28A760D8D2A924A20884B88C1CD9EC9F5B8B770FDA5A9BCCDF339E3DB57B1A1BB8A05C146BE46C
Malicious:	false
Preview:	....7.2.4.5.3.6.....\MAILSLOT\NET\GETDC67FE0D87............ ....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.493386260218451
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	C2ADPhotosSetupEN.exe
File size:	19'423'456 bytes
MD5:	b267edc8d01b07caef2e334a05b92351
SHA1:	8da34b3ede48ba1ad32dd5238e03b19116874613
SHA256:	2679ae59bfc014e4c9aa8046ba11d3f7e5cef36536a4be768bf5de4606dd392e
SHA512:	a9db309b2f6e1d9c66b22738f36be8a932d5bcf63ee0a95d7ee8274364a231184b8349d7b6d853235f721d953157b0bc0a5f92283a6a176e5f364e4185ba5887
SSDEEP:	393216:s5xGx1rr9qzmIl6S7gcSs3abx9L6S7kdpeEc:wcx1rrszcSRvTSujc
TLSH:	C4178C966970D021E10E5E3D941BF1F93A2DED20E3678D8B2A44FA7739F43526358F22
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........S...S...S....s..K....s.......s..N.......V.......Q...Z.h.R...Z.o._...Z...v...S...L...h...D...h...@...h...5.......].......R..

File Icon


Icon Hash:	e0d692b2e296d46d

Static PE Info

General

Entrypoint:	0x545b7a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FF46DB9 [Tue Jan 5 13:46:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	bef0fadde501d2ff0cdb7bd8bb62a19d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	13/10/2020 11:27:52 13/10/2023 11:27:52
Subject Chain	CN=CodeTwo Sp. z o.o. Sp.k., O=CodeTwo Sp. z o.o. Sp.k., L=Jelenia G\xf3ra, S=Dolno\u015bl\u0105skie, C=PL
Version:	3
Thumbprint MD5:	31B89018BBC2DF1E7C7E2B1BAD21916A
Thumbprint SHA-1:	9E2AC4D0315B6E704B56C1217F5BD5CD1425140F
Thumbprint SHA-256:	5A3382C9C1C26EB19BDECF0814CDD9FD0AFB883FB8B94FFECF14142C2084E82C
Serial:	00897DA4A026D2A403

Entrypoint Preview

Instruction
call 00007F134D1637C7h
jmp 00007F134D162C63h
jmp dword ptr [005749F0h]
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F134D1625B7h
jmp 00007F134D162DB0h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F134D1625A6h
jmp 00007F134D162D9Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C3E64h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C3E64h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp

Rich Headers

Programming Language:

[C++] VS2015 UPD3.1 build 24215
[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1bf908	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ec000	0x1083508	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1284000	0x20e0	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1270000	0x1e6d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a5520	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a55b4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a5558	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x174000	0x9f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1728cc	0x172a00	e8cdc96e1d585295bb316e568fc2d17e	False	0.5485323566610455	data	6.517007242483138	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x174000	0x4ee2c	0x4f000	75369b67bd340279f8e78b849535cbda	False	0.29149772547468356	data	5.198876758467639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c3000	0xbb2c	0x5a00	7a6bff561e957338f5d912db7f22d6e1	False	0.24635416666666668	data	4.745028391518207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x1cf000	0x1a4c8	0x1a600	593b057e42432429272acc2c70696d42	False	0.3017069016587678	data	4.226368623333218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x1ea000	0x10	0x200	52f93ebec3bc0c9da8e85ddf5ad812f4	False	0.048828125	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x1eb000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1ec000	0x1083508	0x1083600	2c6f57b45e4e60db90fb3cc7026e3278	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1270000	0x1e6d0	0x1e800	b025f8d91b3845432bc14508939daec1	False	0.4186971695696721	data	6.497420472673579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EXE	0x10fe158	0x16d938	PE32 executable (GUI) Intel 80386, for MS Windows	Polish	Poland	0.9138679504394531
MSI	0x21a158	0x78f000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: x64;1033, Revision Number: {85D5E36E-A38F-44FA-B9D7-04B56ACDA73E}, Create Time/Date: Tue Jan 5 13:46:22 2021, Last Saved Time/Date: Tue Jan 5 13:46:22 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	Polish	Poland	0.9852752685546875
MSI	0x9a9158	0x755000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CodeTwo Active Directory Photos, Author: CodeTwo, Keywords: Installer, Comments: (c) 2020 CodeTwo. All rights reserved., Template: Intel;1033, Revision Number: {1E0D103C-1014-446E-9C0E-91DD43D9DDE0}, Create Time/Date: Tue Jan 5 13:46:18 2021, Last Saved Time/Date: Tue Jan 5 13:46:18 2021, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	Polish	Poland	0.98553466796875
RT_CURSOR	0x126bde0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x126bf18	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x126bff8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x126c148	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x126c298	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x126c3e8	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x126c538	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x126c688	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x126c7d8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x126c928	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x126ca78	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x126cbc8	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x126cd18	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x126ce68	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x126cfb8	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x126d108	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x126d378	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x126d430	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x1ecd00	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Polish	Poland	0.3475177304964539
RT_ICON	0x1ed168	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Polish	Poland	0.2168032786885246
RT_ICON	0x1edaf0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Polish	Poland	0.16439962476547842
RT_ICON	0x1eeb98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Polish	Poland	0.10176348547717842
RT_ICON	0x1f1140	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	Polish	Poland	0.07445677846008503
RT_ICON	0x1f5368	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	Polish	Poland	0.04787681311751104
RT_ICON	0x1fe810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	Polish	Poland	0.036111439725541226
RT_ICON	0x20f038	0xa628	Device independent bitmap graphic, 192 x 384 x 8, image size 36864, 256 important colors	Polish	Poland	0.07085762648109836
RT_ICON	0x219660	0xa69	PNG image data, 256 x 256, 8-bit grayscale, non-interlaced	Polish	Poland	0.9699812382739212
RT_DIALOG	0x126d258	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x126d340	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x126d578	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x126d600	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x126d630	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x126d7b8	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x126e038	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x126dd58	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x126ea80	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x126dca8	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x126e970	0xde	data	English	United States	0.536036036036036
RT_STRING	0x126e2a0	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x126e748	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x126ea50	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x126eb10	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0x126bfd0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x126c7c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c130	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c670	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c520	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126ce50	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c3d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126ca60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c280	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126c910	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126cbb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126cd00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126cfa0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126d0f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x126d240	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x21a0d0	0x84	data	Polish	Poland	0.7348484848484849
RT_VERSION	0x126ba90	0x34c	data	English	United States	0.4312796208530806
RT_MANIFEST	0x126f050	0x4b7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1147), with CRLF line terminators	English	United States	0.3587406793703397

Imports

DLL	Import
KERNEL32.dll	GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, LCMapStringW, GetStringTypeW, GetStdHandle, ExitProcess, GetFileType, SetStdHandle, SetFilePointerEx, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, VirtualQuery, VirtualAlloc, GetCommandLineW, GetCommandLineA, RtlUnwind, GetExitCodeProcess, GetSystemInfo, OutputDebugStringW, FindFirstFileExA, QueryPerformanceFrequency, FindNextFileA, IsValidCodePage, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, WriteConsoleW, CreateFileW, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, CreateEventW, WaitForSingleObjectEx, ResetEvent, GetWindowsDirectoryA, GetACP, Sleep, GetProfileIntA, GetTempFileNameA, GetTempPathA, SearchPathA, GetCPInfo, GetOEMCP, VirtualProtect, SystemTimeToTzSpecificLocalTime, GetFileTime, GetFileSizeEx, GetFileAttributesExA, FileTimeToLocalFileTime, SetErrorMode, FileTimeToSystemTime, GetVolumeInformationA, lstrcmpiA, GetCurrentProcess, DuplicateHandle, WriteFile, UnlockFile, SetFilePointer, SetEndOfFile, ReadFile, LockFile, GetFullPathNameA, FlushFileBuffers, GetFileSize, GetFileAttributesA, CreateFileA, VerifyVersionInfoA, lstrcpyA, VerSetConditionMask, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, FreeResource, GlobalFlags, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, CompareStringW, GetCurrentDirectoryA, FindResourceA, GetSystemDirectoryW, EncodePointer, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, LoadLibraryW, GetModuleFileNameW, OutputDebugStringA, GlobalAddAtomA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetModuleHandleW, GetModuleHandleA, ResumeThread, SetThreadPriority, WaitForSingleObject, SetEvent, CloseHandle, SetLastError, CopyFileA, FormatMessageA, MulDiv, LocalFree, GlobalFree, GlobalUnlock, GlobalSize, GetCurrentProcessId, GetTickCount, CompareStringA, MultiByteToWideChar, lstrcmpA, GlobalDeleteAtom, GlobalLock, GlobalAlloc, LoadLibraryExW, GetModuleFileNameA, GetVersionExA, GetCurrentThreadId, GetCurrentThread, DeleteCriticalSection, DecodePointer, RaiseException, GetLastError, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteFileA, LoadLibraryA, FreeLibrary, GetProcAddress, FindFirstFileA, FindClose, InterlockedDecrement, CreateDirectoryA, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, WideCharToMultiByte, InterlockedIncrement, HeapQueryInformation
USER32.dll	SetWindowRgn, GetSystemMenu, LoadMenuW, GetAsyncKeyState, CharUpperA, TrackMouseEvent, LoadImageW, IsRectEmpty, DrawStateA, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, EnumDisplayMonitors, GetSysColorBrush, SetLayeredWindowAttributes, MonitorFromPoint, SetParent, GetSystemMetrics, ReuseDDElParam, UnpackDDElParam, LoadImageA, DestroyIcon, IntersectRect, SetRectEmpty, InsertMenuItemA, DestroyMenu, CreatePopupMenu, LoadMenuA, TranslateAcceleratorA, LoadAcceleratorsA, BringWindowToTop, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, GetTopWindow, GetClassLongA, SetWindowLongA, EqualRect, CopyRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthA, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, SetForegroundWindow, GetForegroundWindow, SetActiveWindow, TrackPopupMenu, SetMenu, InflateRect, SetFocus, GetDlgItem, IsIconic, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, IsChild, IsMenu, IsWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, GetMessagePos, RegisterWindowMessageA, FillRect, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetWindowDC, GetDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, InvalidateRect, UpdateWindow, KillTimer, SetTimer, RealChildWindowFromPoint, GetWindow, GetClassNameA, PtInRect, SendDlgItemMessageA, IsDialogMessageA, GetMenuItemInfoA, CreateDialogIndirectParamA, MessageBoxA, UnregisterClassA, PostMessageA, GetWindowRect, GetWindowTextA, SetWindowTextA, GetDlgCtrlID, DeleteMenu, CopyImage, GetClientRect, LoadCursorW, LoadCursorA, GetDesktopWindow, WindowFromPoint, ScreenToClient, ClientToScreen, ReleaseCapture, SetCapture, GetCapture, NotifyWinEvent, ModifyMenuA, PostThreadMessageA, GetKeyboardLayout, GetKeyboardState, ToAsciiEx, MapVirtualKeyA, LoadAcceleratorsW, CreateAcceleratorTableA, DestroyAcceleratorTable, CopyAcceleratorTableA, EnumChildWindows, LockWindowUpdate, SetClassLongA, MoveWindow, CheckDlgButton, GetMenu, PostQuitMessage, SendMessageA, IsZoomed, RedrawWindow, DrawFocusRect, MessageBeep, OffsetRect, SystemParametersInfoA, RegisterClipboardFormatA, UnhookWindowsHookEx, EnableWindow, IsWindowEnabled, GetWindowLongA, GetParent, GetWindowThreadProcessId, GetLastActivePopup, GetMenuStringA, GetMenuState, GetSubMenu, GetMenuItemID, GetMenuItemCount, InsertMenuA, AppendMenuA, RemoveMenu, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoA, LoadBitmapW, GetMessageA, TranslateMessage, DispatchMessageA, PeekMessageA, IsWindowVisible, GetActiveWindow, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExA, CallNextHookEx, ShowOwnedPopups, SetCursor, WaitMessage, EndDialog, GetNextDlgTabItem, MapDialogRect, GetKeyNameTextA, UnionRect, SetRect, DrawIconEx, DrawEdge, DrawFrameControl, InvertRect, HideCaret, GetWindowRgn, DrawIcon, GetComboBoxInfo, GetNextDlgGroupItem, DestroyCursor, CreateMenu, GetIconInfo, GetDoubleClickTime, GetUpdateRect, SubtractRect, MapVirtualKeyExA, IsCharLowerA, TranslateMDISysAccel, DefMDIChildProcA, DefFrameProcA, DrawMenuBar, IsClipboardFormatAvailable, FrameRect, CopyIcon, SetMenuDefaultItem, GetMenuDefaultItem, EnableScrollBar, UpdateLayeredWindow, CharUpperBuffA, SetCursorPos, GetMessageTime
GDI32.dll	GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextColor, SetTextAlign, GetObjectA, MoveToEx, TextOutA, ExtTextOutA, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateCompatibleBitmap, CreateDIBitmap, CreateFontIndirectA, CreateRectRgnIndirect, GetClipBox, GetTextCharsetInfo, GetTextMetricsA, CombineRgn, GetDIBits, PatBlt, RealizePalette, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateRoundRectRgn, GetRgnBox, OffsetRgn, GetTextColor, GetTextExtentPoint32A, SetRectRgn, DPtoLP, GetBkColor, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExA, RoundRect, CreatePalette, GetPaletteEntries, ExtFloodFill, SetPaletteEntries, GetViewportOrgEx, LPtoDP, GetWindowOrgEx, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, GetNearestPaletteIndex, GetSystemPaletteEntries, GetTextFaceA, SetPixelV, Escape, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateCompatibleDC, BitBlt, DeleteObject, CreateBitmap, GetDeviceCaps, CreateDCA, CopyMetaFileA, EnumFontFamiliesA, ExcludeClipRect, DeleteDC
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	ClosePrinter, OpenPrinterA, DocumentPropertiesA
ADVAPI32.dll	RegEnumKeyExA, RegEnumValueA, RegQueryValueA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey
SHELL32.dll	SHGetFileInfoA, DragQueryFileA, DragFinish, SHAppBarMessage, SHGetMalloc, SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteExA, ShellExecuteA, SHGetDesktopFolder, SHBrowseForFolderA
SHLWAPI.dll	PathFindFileNameA, PathIsUNCA, PathStripToRootA, PathRemoveFileSpecW, PathFindExtensionA, StrFormatKBSizeA
UxTheme.dll	OpenThemeData, DrawThemeText, DrawThemeParentBackground, DrawThemeBackground, IsThemeBackgroundPartiallyTransparent, CloseThemeData, GetThemePartSize, IsAppThemed, GetThemeColor, GetCurrentThemeName, GetWindowTheme, GetThemeSysColor
ole32.dll	OleRun, CoInitializeEx, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, OleLockRunning, OleGetClipboard, DoDragDrop, CoDisconnectObject, CoRegisterMessageFilter, OleIsCurrentClipboard, OleFlushClipboard, CoRevokeClassObject, CreateStreamOnHGlobal, CoInitialize, CoCreateInstance, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, CoUninitialize, CoCreateGuid, StringFromGUID2
OLEAUT32.dll	SysStringLen, LoadTypeLib, SystemTimeToVariantTime, VariantTimeToSystemTime, VariantChangeType, VariantCopy, VarBstrFromDate, SysAllocString, VariantClear, VariantInit, SysAllocStringByteLen, SysAllocStringLen, CreateErrorInfo, SysFreeString
oledlg.dll
gdiplus.dll	GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageWidth, GdipCreateBitmapFromScan0, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipGetImageHeight, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapLockBits, GdipGetImageGraphicsContext, GdiplusShutdown, GdipAlloc, GdipFree, GdipBitmapUnlockBits
WINMM.dll	PlaySoundA
msi.dll
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext

Possible Origin

Language of compilation system	Country where language is spoken	Map
Polish	Poland
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 16:36:17.489727974 CEST	53	50486	162.159.36.2	192.168.2.5
Oct 25, 2024 16:36:18.246889114 CEST	53	50181	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	10:35:27
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\C2ADPhotosSetupEN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\C2ADPhotosSetupEN.exe"
Imagebase:	0x620000
File size:	19'423'456 bytes
MD5 hash:	B267EDC8D01B07CAEF2E334A05B92351
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:35:28
Start date:	25/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff660b70000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:35:41
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D9E5602CD0D1E59BA79DE8DE2B3D0A62 C
Imagebase:	0x4d0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:35:46
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 3336940CC5EF5A00D0ECD9674475EFA1
Imagebase:	0x4d0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:35:47
Start date:	25/10/2024
Path:	C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe"
Imagebase:	0x3d0000
File size:	2'016'008 bytes
MD5 hash:	64FA128F137A7AEFCFA59744C6B17A75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF848770A98 Relevance: 4.7, Strings: 3, Instructions: 944COMMON

Download Yara Rule

Strings

`uH, xrefs: 00007FF848770F0B
`uH, xrefs: 00007FF848770F7A
0, xrefs: 00007FF8487711EE

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 0$`uH$`uH
API String ID: 0-2255283009
Opcode ID: 2c2f6bab35ac22d59dbe897204e7ea1ce7aa134cfea1e6f2c9ee264e2311e904
Instruction ID: 8ca40809770f326ef64979cf090ad0cb306f5077522362172ea5e7f079db8b36
Opcode Fuzzy Hash: 2c2f6bab35ac22d59dbe897204e7ea1ce7aa134cfea1e6f2c9ee264e2311e904
Instruction Fuzzy Hash: 8842B031A0DA894FE799EB2C98656647BE1FF99740F0501FEE049C72A3DE28EC41C749

Function 00007FF8485C5B74 Relevance: 3.6, Strings: 2, Instructions: 1118COMMON

Download Yara Rule

Strings

iQ_H, xrefs: 00007FF8485C66EF
H, xrefs: 00007FF8485C686C

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H$iQ_H
API String ID: 0-150787153
Opcode ID: c7769bc3d24a46a38e270d0f2987182ba7ff4222c025224f9877334f9362c340
Instruction ID: 51a39c3af4835cb60ac9acc24703e858ce390812b9283903cdc8c51b09e55a25
Opcode Fuzzy Hash: c7769bc3d24a46a38e270d0f2987182ba7ff4222c025224f9877334f9362c340
Instruction Fuzzy Hash: 2E925C30619A498FD7A9EB38C499BA977E1FF59301F5104BDD09EC72A6CF38A841CB05

Function 00007FF8485C49FB Relevance: 3.0, Strings: 2, Instructions: 508COMMON

Download Yara Rule

Strings

p&\H, xrefs: 00007FF8485C4DCC
h&\H, xrefs: 00007FF8485C4E3F

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: h&\H$p&\H
API String ID: 0-878878705
Opcode ID: 8f9fed7dc6cb653bd2bbe3493be11f42086f8210ccd788119ef1deec08b1c72d
Instruction ID: 80e56926d8a608814371c422968e334837d08eb192943ba2828b9b351c58a7d4
Opcode Fuzzy Hash: 8f9fed7dc6cb653bd2bbe3493be11f42086f8210ccd788119ef1deec08b1c72d
Instruction Fuzzy Hash: C6F1B130A1CA494FE798FB28D815BB977E1FF98341F1144B9D05EC729ADE34E8428B85

Function 00007FF8485C7A91 Relevance: 1.3, Instructions: 1267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fe1c563a45d29cd067e1384ee074bb096d171711c50deccb26599ab38d2746
Instruction ID: 906dcf6cb0af0ae70a8ccdd299d01d8a3832df23c33a3c7ce11a97f476e378e1
Opcode Fuzzy Hash: 26fe1c563a45d29cd067e1384ee074bb096d171711c50deccb26599ab38d2746
Instruction Fuzzy Hash: 4CA26F30619A498FE3A5EB38C859BAA73E1FF59341F5104BDD05EC72A2DF39A841CB05

Function 00007FF8485CA23E Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbfeef305004e766b4cfeafb11450eff3df85d0d7c30b2a8c6f773f297a3515
Instruction ID: 65b6a64f518de926a2a88b2cf429ee12ef9c5f5b60acce0f2ea71ea592531d9e
Opcode Fuzzy Hash: fcbfeef305004e766b4cfeafb11450eff3df85d0d7c30b2a8c6f773f297a3515
Instruction Fuzzy Hash: DD42D370A0DA858FE795FB3888556A97BE1FF99340F1105BDD09DC72A3DE38A842CB05

Function 00007FF8485C6AA6 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9c38fb68fb63f55cb2e16a6695496d541a0ca5aa8c6d6356a54833902643bf
Instruction ID: 3f76003dcc8f48f56ec20c1b9266f53b0b6fe1f8e30de8ce3032e0729c3b2313
Opcode Fuzzy Hash: cc9c38fb68fb63f55cb2e16a6695496d541a0ca5aa8c6d6356a54833902643bf
Instruction Fuzzy Hash: FC12913060DB458FD7A9EB28C459BAA77E1EF59340F1104BED09EC72A6CF38A845CB45

Function 00007FF8485C6B3A Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0333f236b2730f9a931caade3eb6b5947c57627d9657a6f136d1dbc856197c72
Instruction ID: b654f8d381dddcce7b467cab46ec330372ba239140dd7889c12c359034f78357
Opcode Fuzzy Hash: 0333f236b2730f9a931caade3eb6b5947c57627d9657a6f136d1dbc856197c72
Instruction Fuzzy Hash: 0402953060DB458FD7A9EB28C459BAA73E1EF59341F1105BED09EC72A6CF38A845CB41

Function 00007FF8485CE061 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca357ff688a8e1ffb6477ef8ee4814b4067d658d25d56f67f8db78d001346318
Instruction ID: 099bb3779f311ec0e92d625bcd29edf0195bb8138eb3800b0ba31eb90bcdd6d4
Opcode Fuzzy Hash: ca357ff688a8e1ffb6477ef8ee4814b4067d658d25d56f67f8db78d001346318
Instruction Fuzzy Hash: 23E17512D0E7D35EE753B7786C560E97F60DF43298F0A01F7C4988A0D3EE48685687A6

Function 00007FF8485C0D6D Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b14bc3f9e1170e4184d063a028dc7dea7f95b7d394f4e755a1bb410eaf83efa
Instruction ID: d9ed2f0125b1467c16a0d5e481224d8d9de40fdcc92a0ccb708a20e708102f70
Opcode Fuzzy Hash: 2b14bc3f9e1170e4184d063a028dc7dea7f95b7d394f4e755a1bb410eaf83efa
Instruction Fuzzy Hash: ABC1F331A0D94A9FEB98FB2CC855ABD77E1FF89350F1500B9D01AD7292DF28A8418B45

Function 00007FF8485CEE64 Relevance: 8.1, Strings: 6, Instructions: 568COMMON

Download Yara Rule

Strings

B\H, xrefs: 00007FF8485CF21D
4L_H, xrefs: 00007FF8485CF070
2L_H, xrefs: 00007FF8485CF2EF
0B\H, xrefs: 00007FF8485CF290
8B\H, xrefs: 00007FF8485CF303
A\H, xrefs: 00007FF8485CEEF8

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: B\H$0B\H$2L_H$4L_H$8B\H$A\H
API String ID: 0-1263049920
Opcode ID: e653d2efdcae17ceb9198b5e7c4e35cab6041a80c7f9c625da00b064dfea5055
Instruction ID: 72eaeb85ac809a721a70a912d7ffa08daf3aab25144e5353ccea867a3037763a
Opcode Fuzzy Hash: e653d2efdcae17ceb9198b5e7c4e35cab6041a80c7f9c625da00b064dfea5055
Instruction Fuzzy Hash: AD021962E2DD865FEB5DFB2898529B977F1FF64784F0045B9C00BC71D6EE28A8068740

Function 00007FF848771275 Relevance: 5.9, Strings: 4, Instructions: 882COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF848771912
PauH, xrefs: 00007FF84877149D
PauH, xrefs: 00007FF848771341
PauH, xrefs: 00007FF8487713E6

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 3$PauH$PauH$PauH
API String ID: 0-4214649253
Opcode ID: 3d928e75c6477e360f2ff2356e44707c8a47bc8119a1397b5e3f84d0c839ffe9
Instruction ID: 5d4ee1738fecbf2d2031b0345f2e5fe36d1c4501ee30e6d82c3550e731795746
Opcode Fuzzy Hash: 3d928e75c6477e360f2ff2356e44707c8a47bc8119a1397b5e3f84d0c839ffe9
Instruction Fuzzy Hash: 89421331A0DA894FE799EB2C88655747BE1FF5A790F0900FAD089C71A3DA28FC42C755

Function 00007FF8485C551C Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

x9iH, xrefs: 00007FF8485C55DA
wQ_H, xrefs: 00007FF8485C58EF
wQ_H, xrefs: 00007FF8485C5874

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: wQ_H$wQ_H$x9iH
API String ID: 0-2823264820
Opcode ID: 54100242b4a4aed6b33c251cc6c9c1829913499a732be36417419061c5c3ffcd
Instruction ID: 80ac3b1f06b0aa8987a515c042a991fa152ae7c6eb2ef87700798e985142547c
Opcode Fuzzy Hash: 54100242b4a4aed6b33c251cc6c9c1829913499a732be36417419061c5c3ffcd
Instruction Fuzzy Hash: FDF1A752F2CE4A5EE698BB7C589A6BD53D1FF58280F41457AD02FC32C7ED2CB8464A04

Function 00007FF8485D00F8 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF8485D9EDE
xoH, xrefs: 00007FF8485DA091

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: @$xoH
API String ID: 0-3068823521
Opcode ID: d8a0b99a082b287e44a9ed3d5ac86235d2d1235e6e219b4d50f16ff9cb775e4e
Instruction ID: 772201e1d2b9a4894115832a5f1fd13f2d6d5ec6dd75fbc15a3264017f812bcf
Opcode Fuzzy Hash: d8a0b99a082b287e44a9ed3d5ac86235d2d1235e6e219b4d50f16ff9cb775e4e
Instruction Fuzzy Hash: F2B10521C0D6C34FE76BF7344C151B97BD0EF92285F1941BED899C7193EB18A44A8B8A

Function 00007FF8485C55E6 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

0GiH, xrefs: 00007FF8485C562C
wQ_H, xrefs: 00007FF8485C5874

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 0GiH$wQ_H
API String ID: 0-4239803360
Opcode ID: 954f0278fd40008b1cdfaa2686bcbdd9fe12a0322a2c2d59a2b89e4ff3f85c19
Instruction ID: 74b1a73c7416314e7ebae11f156e73ed40c815d3a3314ef25b9e9a58741f5c5e
Opcode Fuzzy Hash: 954f0278fd40008b1cdfaa2686bcbdd9fe12a0322a2c2d59a2b89e4ff3f85c19
Instruction Fuzzy Hash: 6A81A412F2CE4A5FE698BB7C589A6F953E1FB582C0F41457AD01FC328BED1CB8494644

Function 00007FF8485CC6CD Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485CC8AC
]L_H, xrefs: 00007FF8485CC774

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H$]L_H
API String ID: 0-1665895300
Opcode ID: ad55ad96fbc9332b8640a0b3d119bbb9db2c22a85e133c7ca34a5ab2ec59462b
Instruction ID: 50f931555764bc35ece3ee9cc968d863c11ad78e5528159a5ed4f5e0fa3ce4bb
Opcode Fuzzy Hash: ad55ad96fbc9332b8640a0b3d119bbb9db2c22a85e133c7ca34a5ab2ec59462b
Instruction Fuzzy Hash: 8B719071E1894E9FEB94EF68D8556ED7BF1FF98350F00017AD00DD7286DE2868868B40

Function 00007FF8485D0120 Relevance: 1.6, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF8485D0139

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 9ba593da0e9182374da01acdc0ac1b2f111934c436f2d8e55400e145a65970d7
Instruction ID: bb7e2ec866d0766e997d27ea227054aaa4125c00ed28f4e43fc3b513a912fb58
Opcode Fuzzy Hash: 9ba593da0e9182374da01acdc0ac1b2f111934c436f2d8e55400e145a65970d7
Instruction Fuzzy Hash: E8C1092180D6825FE367B7244C012E53FE0EF52354F1686FAD899CA0A3EB19991FC7D6

Function 00007FF8485D81A1 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

pE\H, xrefs: 00007FF8485D831B

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: pE\H
API String ID: 0-1378085713
Opcode ID: 7cbfa7d3c00aa537f6233493f396ee37e4d74cbb2d74bfe315e713013c980517
Instruction ID: 2ea0d5816265368336ecc9fd5c1e3b617f1b5a1d181de7b113e6da1e2a7a98cf
Opcode Fuzzy Hash: 7cbfa7d3c00aa537f6233493f396ee37e4d74cbb2d74bfe315e713013c980517
Instruction Fuzzy Hash: 2561C431B1C9498FEB88FF28D855A6973E1FF98340F4545B9D41EC7296DE38E8458B40

Function 00007FF8485D00ED Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF8485D0139

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a70e2ab8486d708c8d9a5c4fb6f3643fbad56cc83c3594b023d52f02234a0cc6
Instruction ID: 6ee7c0f662265fea72c7e0a99edd5e01988e4b938035021f1a7d784c2b233887
Opcode Fuzzy Hash: a70e2ab8486d708c8d9a5c4fb6f3643fbad56cc83c3594b023d52f02234a0cc6
Instruction Fuzzy Hash: 18513A3290C6515BE756BB249C021F93BE0EF81358F15867AD89D870A3EF19A90FC7C6

Function 00007FF8485C17FC Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

O4[H, xrefs: 00007FF8485C1874

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: O4[H
API String ID: 0-3759773446
Opcode ID: b8bd33fc4c2aa9b4cdcf009b3216443153fdf544dd21cef15178e8ed0e0eeb67
Instruction ID: 24229c2837b21f17e5bf6be0920efdc62d720aa52df76e44ed552516b59d6b6e
Opcode Fuzzy Hash: b8bd33fc4c2aa9b4cdcf009b3216443153fdf544dd21cef15178e8ed0e0eeb67
Instruction Fuzzy Hash: F3412312F5CD5B5FEA98BB2D68512B923D2EF94B80F950179D51EC32CAEF1CEC020685

Function 00007FF8485C310E Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

xcfH, xrefs: 00007FF8485C3167

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: xcfH
API String ID: 0-2399020949
Opcode ID: 22b8da6d4305b0be9f2f53500a1a1402a678e3478e0953edfde7d82719920b08
Instruction ID: c44f8335ed1218bddd4f563536b98290306bdc60a022c8c5c25b4cc930259dca
Opcode Fuzzy Hash: 22b8da6d4305b0be9f2f53500a1a1402a678e3478e0953edfde7d82719920b08
Instruction Fuzzy Hash: 7F419B32B1CD4A5FE699FB2C98566F973D1FF58790F0500B9D01EC7286EE28A8024B85

Function 00007FF8485CED30 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485D0021

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 025cce10bc0419182579074ddea86e536934003e97a484da4da6660bf59f6843
Instruction ID: 21721b9acb8fec1375c352ae6d24880ad86a41e7842ab5ef193b833482645329
Opcode Fuzzy Hash: 025cce10bc0419182579074ddea86e536934003e97a484da4da6660bf59f6843
Instruction Fuzzy Hash: 97414931D1DA464FE7A8FB249C065B977E0FF56380F45467DC8AA83191EF28640B8F86

Function 00007FF8485CFF1C Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485D0021

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: a9b8cdf7be98f7c547f4a71511a87abaaf6028f71361b30a65695deac9ea7b8d
Instruction ID: 4ed904d60f5065e97081f979dd4c1b428d484c5bcdd0954a826f9e93fe9c6317
Opcode Fuzzy Hash: a9b8cdf7be98f7c547f4a71511a87abaaf6028f71361b30a65695deac9ea7b8d
Instruction Fuzzy Hash: 06315B71D1CA464FE7A8FB2498021EA77D1FF95384F51463DD8AA83281EF64640A8F85

Function 00007FF8485CFF06 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485D0021

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 24c69488a9958aeb6f63e8835063dba2f0511fd7227db6d29cfc2c42eabe86fa
Instruction ID: 200ed31d00225f7379ad84a38d0017022d0893189d0cb3ecf1d6fa032c24df60
Opcode Fuzzy Hash: 24c69488a9958aeb6f63e8835063dba2f0511fd7227db6d29cfc2c42eabe86fa
Instruction Fuzzy Hash: 39314B71C1C6454FE7A8FB2498465EA77D0FF95384F55467CC8AA83181EF2464078F85

Function 00007FF8485D550D Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

H$\H, xrefs: 00007FF8485D5588

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H$\H
API String ID: 0-782866952
Opcode ID: 31caca44166e77e086d76f72a5dfb39f1ee502666e4723ee126b3ddccaf7a89a
Instruction ID: 49608b6c29b560850873c6137a30436004c6f97ae1dfa2182a0a430c29ca0968
Opcode Fuzzy Hash: 31caca44166e77e086d76f72a5dfb39f1ee502666e4723ee126b3ddccaf7a89a
Instruction Fuzzy Hash: 44210522F1ED8D5FD39AE63C68653B867C1EF59685F4502FBC009C72D6EE485C058381

Function 00007FF8485D58BD Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

XS]H, xrefs: 00007FF8485D5916

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: XS]H
API String ID: 0-907379203
Opcode ID: 8b4ab3a24c1f193c499fe6a64477080c241892ac13e87cb08257843722d17b17
Instruction ID: 96d2304cba1c898e6d6501f7092cb55f212c76f181bf607dcbaea336659d2626
Opcode Fuzzy Hash: 8b4ab3a24c1f193c499fe6a64477080c241892ac13e87cb08257843722d17b17
Instruction Fuzzy Hash: 6921CF2290EAC61FD347A7385C665A43FF0EF576A0B0E81EBC499CB1A3DD1C580AC752

Function 00007FF8485C3BCF Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485C3C48

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2cd99a074e7e0179188b3bb8be5f98cd7d1ec933cbc694fef357f45bd5faac54
Instruction ID: 7465fe65c4ee5606051a3b619cff1af86c93af58dd5b122ef0ef63f79a8926de
Opcode Fuzzy Hash: 2cd99a074e7e0179188b3bb8be5f98cd7d1ec933cbc694fef357f45bd5faac54
Instruction Fuzzy Hash: E1212712E0DA8E5EE7B9A72C6C551FE2FA1EF85790F4900B7C009C61CBDD1C28428786

Function 00007FF8485C0C3B Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF8485C0CE4

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6898c1c86a0859d9d37f94830475fb6f29feb2ded31eec868b74b654b7887646
Instruction ID: 8b8303f3b91193637e87baf6fb3c752bbef297d73539c2f27c4883aee697ef22
Opcode Fuzzy Hash: 6898c1c86a0859d9d37f94830475fb6f29feb2ded31eec868b74b654b7887646
Instruction Fuzzy Hash: BA210A25D0DA8E4EE795B7284C111BDBBD0EF453E0F4202BAD06DC61C2DF1868058B5E

Function 00007FF8485C39D3 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

M_I, xrefs: 00007FF8485C3A04

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: M_I
API String ID: 0-2572132861
Opcode ID: 473583084db29eb4d320dbb39b87573961386ada00fc3b47050fc2188df4decb
Instruction ID: 1408fec73ee4560d4a8ec797b7e4a2aec6d6f808788132c75cb2f53415a7ebef
Opcode Fuzzy Hash: 473583084db29eb4d320dbb39b87573961386ada00fc3b47050fc2188df4decb
Instruction Fuzzy Hash: 4F116D21D0E5C95FE365EB2C9C152FABF50FF02354F1502FBC09997087DD2968498AC2

Function 00007FF8485C3C89 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8485C3C48

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2500146098bdc488492b665dde3a609eed35ab5aff95c9cc9c33efc08884f652
Instruction ID: 4e2b1fa9444deca5cd881cd5ad014b28acabad9e8eda1572eeb0136a9f47b914
Opcode Fuzzy Hash: 2500146098bdc488492b665dde3a609eed35ab5aff95c9cc9c33efc08884f652
Instruction Fuzzy Hash: 3011E501E0E84A5FE768732C68562FE2A92DFD5390F5A41B6D01EC22DBEE5C28434785

Function 00007FF8485CC5BE Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

`&\H, xrefs: 00007FF8485CC62D

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: `&\H
API String ID: 0-1219217847
Opcode ID: b9baca95004cc35d5070ae4fdd3998cd8334a6fe8ed0a35f9d09f0fd36890b27
Instruction ID: f249cac469481bf6c7e38a32725f1b6ce8e646dd73c2da01cfd25e01204bd4e4
Opcode Fuzzy Hash: b9baca95004cc35d5070ae4fdd3998cd8334a6fe8ed0a35f9d09f0fd36890b27
Instruction Fuzzy Hash: B511C431A1C9468EE6A9B73844446B963E2FF54380F6504BAC06F872C2DF2DBC825B05

Function 00007FF8485C5565 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

x9iH, xrefs: 00007FF8485C55DA

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: x9iH
API String ID: 0-1749913660
Opcode ID: 945cc803dec1a3035d285c584029d7896d6cc0ddbed39ae7a111c020d5f4611e
Instruction ID: c6bfc1ae673b6939092d98d73167a0feea9bae91975d65ed1de8f1846438aef8
Opcode Fuzzy Hash: 945cc803dec1a3035d285c584029d7896d6cc0ddbed39ae7a111c020d5f4611e
Instruction Fuzzy Hash: 2F017122B2CD4A6EE6D8BB2C5896AB95291FB98280F414579D01FC32CBED2CB8054B44

Function 00007FF8485D16D9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8605dc041b51d858b2e39a1bf4f9e4393b4a92ebdbc633bfabef2995956d516e
Instruction ID: 6ef3f9817cda6c2c95df5edea4a6521f7d243bbacafab38bb85243aed992369a
Opcode Fuzzy Hash: 8605dc041b51d858b2e39a1bf4f9e4393b4a92ebdbc633bfabef2995956d516e
Instruction Fuzzy Hash: 06E10921B2D8194FE798E76C94623B872D3FF88761F5404B9E04ED33DADD69AC018791

Function 00007FF8485D01A0 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148a2a4a0c77c6a05d2caf2013e356e611517691e343723e69691e5371e291eb
Instruction ID: 9a30e6a2275d696d0f3caf3a0a7743b6f108a8deff505449457328c16aebff20
Opcode Fuzzy Hash: 148a2a4a0c77c6a05d2caf2013e356e611517691e343723e69691e5371e291eb
Instruction Fuzzy Hash: 1BE1E821B2D8195FE798EB6C94623B862D3FF8C7A1F540479E04ED33DACD69AC018791

Function 00007FF8485D7689 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3bbe754beff4ac5a1f8d83ab825ead5c919c66e2a1d17c83a535a727a435cc
Instruction ID: 247743d29f156dfe1ec2c3c67eb86b1bc2f94315e3b5cff544143da3c8b0b57a
Opcode Fuzzy Hash: 1a3bbe754beff4ac5a1f8d83ab825ead5c919c66e2a1d17c83a535a727a435cc
Instruction Fuzzy Hash: 56020D7181D7858FE366AB3488016E57BE1FF4A354F0644FDC85D8B2A3EB38A806CB45

Function 00007FF8485D7B0D Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7617538723ead224fc5de79ab071e910cf01cec8d3f74ed51e4c8f708038fe26
Instruction ID: 0bf94165cb3cc34f3d5a146d4bf42a5db0cddef995b3e70bf1f65c184e700d29
Opcode Fuzzy Hash: 7617538723ead224fc5de79ab071e910cf01cec8d3f74ed51e4c8f708038fe26
Instruction Fuzzy Hash: F202E47181D7898FD366AB2488416E57BE0FF46344F0644FEC859CB2A3EF39A906CB45

Function 00007FF8485C5C7C Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb1a3f098bc6a3b7b4cab865a9002bc50a6a958c29be2fb51943586387fb024
Instruction ID: 1b16adbb6ac62a4bff7d997cb03c380779a46147f69c012f2a927a483a04330b
Opcode Fuzzy Hash: 1eb1a3f098bc6a3b7b4cab865a9002bc50a6a958c29be2fb51943586387fb024
Instruction Fuzzy Hash: C002CC34619A498FD7A9FB28C499BAA73E1FF59301F5104BDE05EC72A6CE35E841CB04

Function 00007FF84877068A Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b361cd266b49fac92c9af4bd7f31a0f66ca5cf10649e3b067294652276145ea6
Instruction ID: 8137216c050f9ad37d2952655c4be2b8fb4af49d91f489fcc6344e119da99377
Opcode Fuzzy Hash: b361cd266b49fac92c9af4bd7f31a0f66ca5cf10649e3b067294652276145ea6
Instruction Fuzzy Hash: C3913621A0EB895FE799EA7898696763BD0EF56740F0901FFD049C72A3CE14BC01C395

Function 00007FF8485C76E2 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329ba64b4a8ad48d737573d36060cc461ffbdf634c4d8d5c90722cedd700a310
Instruction ID: b85f607f29cbac927e1b07833e27b7f9768d9567e647d27728c13239bd33195e
Opcode Fuzzy Hash: 329ba64b4a8ad48d737573d36060cc461ffbdf634c4d8d5c90722cedd700a310
Instruction Fuzzy Hash: 63C1703060DB498FD7A8EB28C495BAA77E1EF99341F0105BDD05EC72A6CF39A845CB05

Function 00007FF8487700B4 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2135dc4b51a7b63bec79afd575910ecdff4bba6e98c824ed098fc5b89ba364
Instruction ID: 297763857b16ccedb3eaa1fcad29ac3b981bd31689e9c1d9ae9026816e594195
Opcode Fuzzy Hash: 1c2135dc4b51a7b63bec79afd575910ecdff4bba6e98c824ed098fc5b89ba364
Instruction Fuzzy Hash: D071E431A0DA894FD799EB2C98696757BE1FF9A700F0501FED049C72A3DA28EC42C745

Function 00007FF8485D7F91 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aceeac9690d4d58fc8bb945aaaf86c265530779e54f2b3f38643d7b3a735b61
Instruction ID: 3d68b2b04b176a95b0743c8653c867dd6751050a3eab532dd1ab8c95cc1f3b28
Opcode Fuzzy Hash: 3aceeac9690d4d58fc8bb945aaaf86c265530779e54f2b3f38643d7b3a735b61
Instruction Fuzzy Hash: 66515D70A1CA098FE799FF28D8457A573E1FF88340F5584B9D85DC729ADF38A8428B44

Function 00007FF848771560 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea7fbcefd2d0c22bb788afe7edca5a5da4fa6f0d3fc43ef8dbfb792eae50103
Instruction ID: a987f46200ef229a7d227022e78e2c446a750809a036a6d64429b448c6568f4f
Opcode Fuzzy Hash: 9ea7fbcefd2d0c22bb788afe7edca5a5da4fa6f0d3fc43ef8dbfb792eae50103
Instruction Fuzzy Hash: 66510630A0DA894FE799EB2C98659747BE1FF55790F0800BAE449C71A3DE24FC41C799

Function 00007FF8485CED88 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cabf6ff9aa10d0b50194b8a1d9d54abe9d7185cb13942239a9932ef24c13362
Instruction ID: 94ff22ce7472517b1fa60e18da883904531c9e0938102f3ec1cc8db30b019bec
Opcode Fuzzy Hash: 9cabf6ff9aa10d0b50194b8a1d9d54abe9d7185cb13942239a9932ef24c13362
Instruction Fuzzy Hash: 9A51C821E1CD0A5FE685FB2858666BDB6D1FF98390F054176D41DC32C6DF28A8024BC9

Function 00007FF8485C1AB8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99d3e9bb83adb37dbcee3fa6b6901448e34ad5bc1ffffb3089744399772526c
Instruction ID: a70519273b83933b7077eef5279e5c613dce1a84e9a64ae33198c70ec6a75000
Opcode Fuzzy Hash: e99d3e9bb83adb37dbcee3fa6b6901448e34ad5bc1ffffb3089744399772526c
Instruction Fuzzy Hash: D4513B70E5891A9FEF88EB68D890ABD7BF2FF98340F414079D019D7295DB38A841CB44

Function 00007FF8485D0118 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecbeab88cd09b5f9e211a9d1554a95bd9d4cef3dcfd75589d3ae7858dbf18d0
Instruction ID: 730bfe68b8bad2236bd0eb5e35895ff34e3e85b96223c9a8b4a97182e7393607
Opcode Fuzzy Hash: fecbeab88cd09b5f9e211a9d1554a95bd9d4cef3dcfd75589d3ae7858dbf18d0
Instruction Fuzzy Hash: 9D41C132E0CA1D4FEB54F7A8AC466EDB7E1EB88360F11413AD41DD3281CF656C028B85

Function 00007FF8485CEDA0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d55ba7185f86f3f70872079493fdd7e192aa85159d36451c995e12c883084fd
Instruction ID: 759ad25bd8fb8f6b3b63a30dad4a2579cc2b4f80d0c9a6215cb5d9a54d15e387
Opcode Fuzzy Hash: 7d55ba7185f86f3f70872079493fdd7e192aa85159d36451c995e12c883084fd
Instruction Fuzzy Hash: 36312B22F4CD1E1FF6A8B71C2C5A1B973C1EB94AE1F45417AD82DC328ADF096C430A85

Function 00007FF8485C291D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d820bfd1df29a0287adcb5bc27c36dc276a2624fba6d6b9281c4f7a00e352860
Instruction ID: 7589935836761466274a72a3cba0c002c4a6fe93b39dc239f33f468ce9c25534
Opcode Fuzzy Hash: d820bfd1df29a0287adcb5bc27c36dc276a2624fba6d6b9281c4f7a00e352860
Instruction Fuzzy Hash: 61414A35E0991E9FEF98FBA8D8556EDB7B2EF98341F400139D01ED3285DE38A8418B44

Function 00007FF8485D01C0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4136b474206d6a7086e0c302e6906ea8da6c2fc5afce2f9d54bb03278ddb674
Instruction ID: d8359a1f272329f13774a88e2ac07e56c609da99281cc2c2e820b0ffe518385c
Opcode Fuzzy Hash: b4136b474206d6a7086e0c302e6906ea8da6c2fc5afce2f9d54bb03278ddb674
Instruction Fuzzy Hash: 51414222E6C9860FE7A8B3284C562B9B3C1FF947C1F444179D92EC7286EE186C0246C6

Function 00007FF8487702E5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07616329b9074952b86680aa2fd358b573639695bed6521be745b56e78b0fd49
Instruction ID: f778b5ef528c1786fad234ede10bd8d635b0e822bcaeac51b1f876a57f4876e1
Opcode Fuzzy Hash: 07616329b9074952b86680aa2fd358b573639695bed6521be745b56e78b0fd49
Instruction Fuzzy Hash: E331907071CA098FDAA8EB1CD865A7573D2FB98750B5101BEE04EC32A6DF24FC428785

Function 00007FF8484AE220 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2477436719.00007FF8484AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8484AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8484ad000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ce5608b89f0f117faea51365ed7ed904b6d94905c74de5f42e41ed78b62d5e
Instruction ID: dbebe745e26e9e64e6e270272e2da2d60b00f3385789bdc2fb42c2a79e2971b0
Opcode Fuzzy Hash: 73ce5608b89f0f117faea51365ed7ed904b6d94905c74de5f42e41ed78b62d5e
Instruction Fuzzy Hash: DA41243180DBC48FE756DB2898459623FF0EF46320F1506EFE088CF1A3D624A846C7A6

Function 00007FF8485C32A1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cdf403c0bbc36b1e9449053e7c192098331b151b685ef08bc85d2b5d987ada
Instruction ID: e2b90d75dc25e873288b04b7741b94d21e9771614ed6906e99f6a16a10f4f05b
Opcode Fuzzy Hash: 59cdf403c0bbc36b1e9449053e7c192098331b151b685ef08bc85d2b5d987ada
Instruction Fuzzy Hash: C9413421A0DACA8FE75AEB3C98552A57BA1FF56340F1940FEC058CB1C7DE28AC06C741

Function 00007FF8485CB3E9 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af946e9af2979bfadc2e0ce83aceba76821a225d1aca660c98c2f26a944e87e
Instruction ID: 65f03a448a8084346ec86c0e479add3456df19e4f2d3df8ff90cf4afce7b70ed
Opcode Fuzzy Hash: 8af946e9af2979bfadc2e0ce83aceba76821a225d1aca660c98c2f26a944e87e
Instruction Fuzzy Hash: BF412864A1DA869FEBA9EB28889473573D2EF84744F19447DC05FC32C6CF28AC068756

Function 00007FF8485CAAD5 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ebe3c14cd0c30e031baa391d03e6b87d046a4e455f2b57c333cdc169f93a24
Instruction ID: f2486cb968663d0c367a70ea1fd516cfef5251449c9be3f26d0a71d346023ff6
Opcode Fuzzy Hash: 17ebe3c14cd0c30e031baa391d03e6b87d046a4e455f2b57c333cdc169f93a24
Instruction Fuzzy Hash: 14413C22C9D7C84FE75B672588211A57F71EF13655F0A02FBC0EACB5A3D62C184B8762

Function 00007FF8485C50E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d736de4ea4f7f3dfb844a60db3eceaa6ed4176f26d3cdcdb33943490810f67
Instruction ID: 6e760f029f06bea460539bcc15e04c30c13297222ddc3f5fe4347329b5eb0bb7
Opcode Fuzzy Hash: 50d736de4ea4f7f3dfb844a60db3eceaa6ed4176f26d3cdcdb33943490810f67
Instruction Fuzzy Hash: 6341B464A1D94A9FEAA8EB28849473562D2FFD4748F15453CD05FC32CACF38EC068B45

Function 00007FF8485CA8C9 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8736ebe5dbf212fae06c821314412283d2604f5e52039184c78384d9fa074bad
Instruction ID: ab6882b9de92ecfdd4e79a3269c5d32ab45146bfb66958a6e762326f0a404350
Opcode Fuzzy Hash: 8736ebe5dbf212fae06c821314412283d2604f5e52039184c78384d9fa074bad
Instruction Fuzzy Hash: 6341C231E0DE418FE299A7386C625A576D2FF99744F8700BCD06EC32D7CE286842CB09

Function 00007FF8485CBE38 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2017ea735e160ba65004a6b9a04b0afa46f3e0366b334b1e93abc7c2cdb8a47e
Instruction ID: 7f0b1b0849fe9bb0451c1adcb152444c953cb4eb0c3a8626d2ee7024f2320fc2
Opcode Fuzzy Hash: 2017ea735e160ba65004a6b9a04b0afa46f3e0366b334b1e93abc7c2cdb8a47e
Instruction Fuzzy Hash: C5312421A1C94A4FEB94FB2C58497B677D2EB98780F1401BAD05EC32D7DE28AC454B43

Function 00007FF8485CA92D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceac3afd9747a7816f83dd59274c16de91214cbcac403e51a89bad8a0595bf8
Instruction ID: c143dc73a8bacece80f8cb66f334e9d18d63795bad7e2608c17697bbdb31e995
Opcode Fuzzy Hash: 5ceac3afd9747a7816f83dd59274c16de91214cbcac403e51a89bad8a0595bf8
Instruction Fuzzy Hash: E1318331A0DF458FE299EB386C6156576D2FF99744F8700ACD06DC32D6DE296842C709

Function 00007FF8485C1FD8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6310baefe59506592c4e1c815f0d413b80cc4e8eeb0c655c32b807362d60d371
Instruction ID: b12ca598d735bc6904f701cc1e869e50a18fbe9d6b66889c8fdd3ecead783c6b
Opcode Fuzzy Hash: 6310baefe59506592c4e1c815f0d413b80cc4e8eeb0c655c32b807362d60d371
Instruction Fuzzy Hash: 44317E31E1D9099FDB94EB6898423FE77E1FF48355F15017AE01ED3282EE2D68018B89

Function 00007FF8485C3CE1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772e73912d3e972015c7cf6637f2b97555f88843aa3fbf7e95790239dfdbffac
Instruction ID: ef80c3c2228633f653e92321a7e3c069fd8c4e037c5400635283316d82b99293
Opcode Fuzzy Hash: 772e73912d3e972015c7cf6637f2b97555f88843aa3fbf7e95790239dfdbffac
Instruction Fuzzy Hash: 3021F13161CA484FD784FB28D45A6A973D1FF89700F1100BEE40EC7396DE6AED428781

Function 00007FF8485D0F50 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348f04aa01c90a9e35b7e06fec56b36339a28cdeb99a19c1eda9ec2e9d4e9a8b
Instruction ID: 0c9d9b1a3d526acc5da5c428cbd19a42a5045ab6ea6b60235128b1c129518bb5
Opcode Fuzzy Hash: 348f04aa01c90a9e35b7e06fec56b36339a28cdeb99a19c1eda9ec2e9d4e9a8b
Instruction Fuzzy Hash: 3E21F37150D6C94FD362A7286C146A67FE4EF86260F1A01FBE49CCB093D6184C06C756

Function 00007FF8485D71B4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc3863c2ead874ed854dc7cdd2d27fdcf7d126b5bf10504f18c7f5c0b2c8655
Instruction ID: f744d21151f6df1d6d09dab2dfccc677e3dd5bb19d79365af3dbeb2ee7026e63
Opcode Fuzzy Hash: dcc3863c2ead874ed854dc7cdd2d27fdcf7d126b5bf10504f18c7f5c0b2c8655
Instruction Fuzzy Hash: 8921C523E2CC5A5EEA99FB1858466FD12D1EF587D0F0541B6DC1FCB28BEF1869020789

Function 00007FF8485DD860 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9c9b4a4e1fc6bec9fc7be86184c0ed34f3c0d75308deea0ccecb54e533ac2c
Instruction ID: 9d07ddcb78ce5ef8682e487ff7d57f7b32778c2e47605a53ca94ae25efc619b1
Opcode Fuzzy Hash: 6b9c9b4a4e1fc6bec9fc7be86184c0ed34f3c0d75308deea0ccecb54e533ac2c
Instruction Fuzzy Hash: 39214C32E1D81E5FEBA5FB68A8452BDB2E2FB84390F418276D41ED3185DF2878414B85

Function 00007FF8485CE8CC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb6aa535eaaa3fbbf852776be62f78f4a99db07c447a6263777ad1a383950c7
Instruction ID: aed25c01970102323dbc7575be9fee6de1fd0165d7621806b451af62604fc722
Opcode Fuzzy Hash: 1cb6aa535eaaa3fbbf852776be62f78f4a99db07c447a6263777ad1a383950c7
Instruction Fuzzy Hash: 4F21B722C0E7C65EE392AB68ACA60F97F61EF53264F0A01F7D0998B0D3DA0924498755

Function 00007FF8485CD9C8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49637508007ddd0dc00162b7c39928409313f2ecb646c2ae352e115f3dfe8e5
Instruction ID: d31a565075ecdce5f05dc3e4afc8ebd99a1bd4cd368f0210bc85541c35b658c4
Opcode Fuzzy Hash: d49637508007ddd0dc00162b7c39928409313f2ecb646c2ae352e115f3dfe8e5
Instruction Fuzzy Hash: 95219671A1CA098FDB19EB5C98411FCB7E1FB84750F65027EC01ED3246DE35A8038B89

Function 00007FF8485C5355 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add6a978fb483c88286b5149ad7550608508e0b794d287dbff170edae62ba15f
Instruction ID: 9d55020b38097d6d2a20179bbaf3866320647599f14ed3f985dd8bb6dd27431b
Opcode Fuzzy Hash: add6a978fb483c88286b5149ad7550608508e0b794d287dbff170edae62ba15f
Instruction Fuzzy Hash: 3F21F051A0CAC60FE796AB7C98642747FE0EF52680F1A00F7C0A8CB1D3DA44EC45CB96

Function 00007FF8485C2ED6 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77d9953cc5e2411a89d37d10513c60d59329a1f73c6058ce7a41893a7c4c86
Instruction ID: e8aee0919625331215c8fddc0448406d2ca45cbceaa24af6a4e1ab2dc0916a27
Opcode Fuzzy Hash: aa77d9953cc5e2411a89d37d10513c60d59329a1f73c6058ce7a41893a7c4c86
Instruction Fuzzy Hash: 5011C16284E7C96FD753AB745C660A53FB0DE83250F0A01EBD088CB0A7DA5C494EC712

Function 00007FF8485C494D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a09314c58e9675e92b09a932af93b6b1ebe7622b6712380a5561123418ba841
Instruction ID: ef09369afb0ff2185a9313fa39bb1466b163e4c6ef5b3a03c9dee36cf87d62c1
Opcode Fuzzy Hash: 1a09314c58e9675e92b09a932af93b6b1ebe7622b6712380a5561123418ba841
Instruction Fuzzy Hash: BF218E3090CA898FE7A9EF18C851E6977E1FF95340F0605BAD01EC72AADB3898458B45

Function 00007FF8485D2381 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05830386c170fc8ce279e1b901067a34694e386c4e0f6f4276f6c0e994372e35
Instruction ID: 395c5d4a3574efeeebd81df59acbb588ef94c3f781693d10dbec70ab72165cef
Opcode Fuzzy Hash: 05830386c170fc8ce279e1b901067a34694e386c4e0f6f4276f6c0e994372e35
Instruction Fuzzy Hash: BA110631A5C9860FF399A32C38513F42BD0EF86391F9A80BAD85DC71C7EE0C28824745

Function 00007FF8485D55DA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97bd34590a45fcbeb9e68dc623137a194857a97ee1367fc2c44fb0d2a364f58
Instruction ID: 46b92f1379fbab8444ba3ef31f6fb5b1be647e7dd6c207a8f89b307528fd1fed
Opcode Fuzzy Hash: a97bd34590a45fcbeb9e68dc623137a194857a97ee1367fc2c44fb0d2a364f58
Instruction Fuzzy Hash: C1016611B1CC8A0EF3A9A33C28153B86AC1EF863A1FCE40FBD85DC6187DE0C18418746

Function 00007FF8485D1DCD Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f7b3d695731e2927e0ba7630e4a8c00e02845df3e70d000288e461922569d6
Instruction ID: 87ee301486c5facafb79e2e242b24f50fd12d70c61cfe9f57650b453fb666178
Opcode Fuzzy Hash: c9f7b3d695731e2927e0ba7630e4a8c00e02845df3e70d000288e461922569d6
Instruction Fuzzy Hash: 3111C821F1CE0D4FE699BB1C186527873C2EB98B80F40407ED81DC329BCE196C434B45

Function 00007FF8485D0F99 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5aee67173b2d3592b07b74ffd8d47728f6f5b99708effd7a34b621fb8270826
Instruction ID: b424fb62d22368eba5ef6d607afdbda8ea64be6814a351bea2e7f557ae8309f5
Opcode Fuzzy Hash: a5aee67173b2d3592b07b74ffd8d47728f6f5b99708effd7a34b621fb8270826
Instruction Fuzzy Hash: AB11062054E6C64FC793A73C6C246627FE4DF47221B1944FBE0D8CB097DA084C4AC756

Function 00007FF8485D4E69 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2078ba283562fa6a80b23d1627d12550371b09ccdd5712bfc2a766b11dee2fe
Instruction ID: 9bad98137a5e98e9177e296a7b3f5568d7c0dadc23f628b795cbdc753ae6e991
Opcode Fuzzy Hash: c2078ba283562fa6a80b23d1627d12550371b09ccdd5712bfc2a766b11dee2fe
Instruction Fuzzy Hash: F5110811F1D94A1FF7A9A32C2C613B867D1EF85390F9A80BAD85DC72C6DE0C18860747

Function 00007FF8485D68C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d2b4dd4e4dcf34e2824c3cac5361949dc99b31dc948c8eb830493a8e233e7
Instruction ID: cde5bea04d9917b8b0eda7170bbf77217fa40d44fa3e55ecd91f3644953bd948
Opcode Fuzzy Hash: b35d2b4dd4e4dcf34e2824c3cac5361949dc99b31dc948c8eb830493a8e233e7
Instruction Fuzzy Hash: EE11983085D6958FE3A6AB30CC547F53BE1AF46340F1644BAD4AA860E2CB2D7886CB55

Function 00007FF8485C53F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f58df304284153e83bcc83d6211eb8145f449347e7b6444b2ff38724669fc1
Instruction ID: 87381805b7bb08e8250e9a28aa3c8d6da3cb1047b897ade3e67aa15afb494506
Opcode Fuzzy Hash: 30f58df304284153e83bcc83d6211eb8145f449347e7b6444b2ff38724669fc1
Instruction Fuzzy Hash: 99110421B0CD894FE795B72C58996B43BE1FF95341F4900A6D048C71E7DE18AC81C785

Function 00007FF8485C2EBF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05edb32aeca78ac72c7618694d5395b804c9e42748266a88ab6856aef3aee546
Instruction ID: b1a55415e7a408a1f27e059d461eb28dab0b8321545a6894d8e032906166573a
Opcode Fuzzy Hash: 05edb32aeca78ac72c7618694d5395b804c9e42748266a88ab6856aef3aee546
Instruction Fuzzy Hash: 1D012462D4D7CC6FCB42EB246C520A87FB0EF92290F0602F7D408C6192EE684959C746

Function 00007FF8485D275B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b71f47a5e53d84a9541e7b45118f0c155fff051b6ff0b192d2fdd6d40247d8d
Instruction ID: 7fb9e9231ada5ef819a9dcefd586214fc74f019d061b58c1e9d277f08d1530fa
Opcode Fuzzy Hash: 0b71f47a5e53d84a9541e7b45118f0c155fff051b6ff0b192d2fdd6d40247d8d
Instruction Fuzzy Hash: 45010C31B2891C9FDF44FBACD4959A973E1EF58716B0005B5E50DC7296DE24EC52C780

Function 00007FF8485C1A15 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4568343def944fac33d1a8f28805e024aa77ee87d1e320317509297d08ce3a94
Instruction ID: be2dfc83b2b6f45bea2c8bd5e702562fd1c376a0fece4a03ceb620ff1635d76c
Opcode Fuzzy Hash: 4568343def944fac33d1a8f28805e024aa77ee87d1e320317509297d08ce3a94
Instruction Fuzzy Hash: 6E01D48589F2C55EE75773781C601B22FE8CF43265F1900EAE1E8C90D7E94C489AC3A7

Function 00007FF8485D2787 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766f882916d9993cde02509ac1f9e98241998a1f597978ab6900d28e4eb4e612
Instruction ID: 8b06d82504f172cb2f2c3f77f0dd572b6f26315f2c5104357457c09efb21df65
Opcode Fuzzy Hash: 766f882916d9993cde02509ac1f9e98241998a1f597978ab6900d28e4eb4e612
Instruction Fuzzy Hash: E5015E31B2895C8FEF54FB6C9455AB877E1EF58316B0100B5D40DC72A6DE28EC42C791

Function 00007FF8485CC3F5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df44eaf12adcf7eb5bc241152c05a53dac71f7c9ad5a6c32af7835060bcf084
Instruction ID: f6b5f6530651185a4a25b3853b33f1c9237193bf58c76bca35bbe95608145946
Opcode Fuzzy Hash: 8df44eaf12adcf7eb5bc241152c05a53dac71f7c9ad5a6c32af7835060bcf084
Instruction Fuzzy Hash: D501FC12D0DEC65FE386AB3818651F87BA0EF55650F0941F6D05DCB0C7ED0C1C454706

Function 00007FF8485D096D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fe37dfadc777f6d0818504423a08545c59ce38633ed963ee84d0dec90fea82
Instruction ID: 55a3681f1bea746f24cf01e63b30c415eb3e7fbcf46bf99d8953305ed6647c81
Opcode Fuzzy Hash: 83fe37dfadc777f6d0818504423a08545c59ce38633ed963ee84d0dec90fea82
Instruction Fuzzy Hash: D701D1319086489FCB04EF18EC599E97BE0FFAA311F05416BE408C71A2CB20A844CB81

Function 00007FF8485C2F1C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e915ab49eac934d8911401eda3e2fba5c015cbb21dcc3d349d5e08d4591c08
Instruction ID: 7de299ec72e748f9f750f99628e07b4e20b7d21f12d7b475f1c39e14358f477c
Opcode Fuzzy Hash: f2e915ab49eac934d8911401eda3e2fba5c015cbb21dcc3d349d5e08d4591c08
Instruction Fuzzy Hash: B9F0FF22C0DACC6FDB42EB785C560A97FB0EF42240F0602EBD048CA1A3EA684958C746

Function 00007FF8485D27F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50210d5755cf91519ded20f478813e9bc83cf1eeb74b1bb094d229c505b0ed1
Instruction ID: a0c2f3227d7911d28c41bd83f6ead3032ff58a386a4718a06d378911e7c6fa3e
Opcode Fuzzy Hash: d50210d5755cf91519ded20f478813e9bc83cf1eeb74b1bb094d229c505b0ed1
Instruction Fuzzy Hash: B0011631B2895D8F9F44FB6C84959A877E1EF5871670000B5E40EC72A6DE28EC42CB80

Function 00007FF8485C0C68 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4795aa9c1c46d290a4bf9dbc3c68f23e7432a0daed57afc888f15d32a0657490
Instruction ID: a1075cffef71bc61b479a974309e780ad8f72762c6d5b2de205181ae128370eb
Opcode Fuzzy Hash: 4795aa9c1c46d290a4bf9dbc3c68f23e7432a0daed57afc888f15d32a0657490
Instruction Fuzzy Hash: AC01B52690EBDD4EEB5277785C221ED7F60DF422A0F0602F6D4A9CB0C3DA18641587A9

Function 00007FF8485C5410 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462a613f3c61a26e50b735538346ecbcc55c5d1a73d1b762febcfaec85500528
Instruction ID: 6b9e5c344cbd3befb20a1a7da2744400380a584846a0e29e3f6ad6f5b5354be1
Opcode Fuzzy Hash: 462a613f3c61a26e50b735538346ecbcc55c5d1a73d1b762febcfaec85500528
Instruction Fuzzy Hash: 2601D621B1CC494FEA98B72C9889AB437D1FB94391F440075E009C32A6DE18AC81CB85

Function 00007FF8485D6955 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cab7490417a09394a5cf4b63ee33e766dff478c6e6e7c76680e4b8acbe605db
Instruction ID: 09e3750806060ea40bacb43d417094860b32e6fe0d31769c133e35eb3e6bc6b5
Opcode Fuzzy Hash: 4cab7490417a09394a5cf4b63ee33e766dff478c6e6e7c76680e4b8acbe605db
Instruction Fuzzy Hash: 2DF0C222E0CA568FE6E5A7291C6117866C3AF44780F1A507AD869C61C6EE0D68435A8B

Function 00007FF8485C0C70 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50a89aa4b4bb0843089b0af2727475a8b9907ac6623e697c84c10699a025389
Instruction ID: 1e86b6f461d600aaff3236f26a91034a3caf37725a64453186bd1c676c82f5fc
Opcode Fuzzy Hash: b50a89aa4b4bb0843089b0af2727475a8b9907ac6623e697c84c10699a025389
Instruction Fuzzy Hash: BE01841681EADD4EE75277784C220ED7F60DF422A0F0A02F6D4A9CB1C3DA18641587A9

Function 00007FF8485C309C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203c0a09e48c5b65b3750a04ffab0759493f3f57741a825f81fbd68d4caec744
Instruction ID: c0ed66e0102b1e0b1fda98e3621d13a7fe1bb24b555d3b8d0c1cb5728b17c43a
Opcode Fuzzy Hash: 203c0a09e48c5b65b3750a04ffab0759493f3f57741a825f81fbd68d4caec744
Instruction Fuzzy Hash: 5B01D163A2DD8A2EEA99F73844166FE62E1EF542C0F4144B9C05FC71C7FE1879418A84

Function 00007FF8485D0A96 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024e3a54b3af692aa882cfbf98e1a71f6f92a70dbb8a2c69030473ec723b6cb4
Instruction ID: 9afd888195aed6b604755afc3588bf411dc3f6cf68de4ae8a213b6b6c30451fe
Opcode Fuzzy Hash: 024e3a54b3af692aa882cfbf98e1a71f6f92a70dbb8a2c69030473ec723b6cb4
Instruction Fuzzy Hash: ADF04F4584F7C20FE79323B45C255953FE09F43560B4E80EAD595CB497CA8D484B8726

Function 00007FF8485C1775 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ad656b0de47afa03840a470d221df51004669522669b519674543a1f882983
Instruction ID: 797a634fa5b5c4663237017d036a3964ced45d86ef1de003e17b373be058fe43
Opcode Fuzzy Hash: 89ad656b0de47afa03840a470d221df51004669522669b519674543a1f882983
Instruction Fuzzy Hash: 86F09021C8E7C85FE72A67700C654B93FB0EF43680F0A00EBE549CB0A3C61C6409C722

Function 00007FF8485CDFD5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa44348481630a6d81ff0d78d4ded0b80b3a761ef5a25b416d91fac6d21067b
Instruction ID: a11a2d0c1c39e65dcaee90d29ace6a77821f4dfe2c371000aa4c5c8a3fbb54b6
Opcode Fuzzy Hash: 6fa44348481630a6d81ff0d78d4ded0b80b3a761ef5a25b416d91fac6d21067b
Instruction Fuzzy Hash: F501813184E6C95FC7429BA09C116D97FF0EF47210B0A41EBE098CB493CB5C594A87A6

Function 00007FF8485C3A18 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c9fc4cc4a7ae4b1159f9a6aed0236d89b1790e204b061b1fe011c001e624fc
Instruction ID: f52b5c39d800354abc70dcb563af908d0a1ff2377a76691b73b9034578e9913f
Opcode Fuzzy Hash: e6c9fc4cc4a7ae4b1159f9a6aed0236d89b1790e204b061b1fe011c001e624fc
Instruction Fuzzy Hash: 8FF0FC3090D50C9EE768E714CC1ABFBBA64FF41340F1141BAD05EE3195DE747C898A96

Function 00007FF8485C0C78 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1abe05e4ade744fd9f50aea4db821ffa86f66b8bc954db1309ba6ca168d2a8
Instruction ID: 16b72b5c0a05ef0c97fd3ee4906bbceba5744f8bed75193bb7a6220a29d49c26
Opcode Fuzzy Hash: 9e1abe05e4ade744fd9f50aea4db821ffa86f66b8bc954db1309ba6ca168d2a8
Instruction Fuzzy Hash: EE01862691EADE4ED75277784C210ED7F60DF423A0F0A02F6D56DCB1D3DA18641487A9

Function 00007FF8485D166D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ef0c038624cb01d626f2737d94f9e4213686ac89e64e20e094e3206d69f658
Instruction ID: 80e570ebc2a7a01f7a6b2f7585baab29c5475bd706feb2e19f02e2f5d4a09ed5
Opcode Fuzzy Hash: d9ef0c038624cb01d626f2737d94f9e4213686ac89e64e20e094e3206d69f658
Instruction Fuzzy Hash: FAF0242094C6400FE742F7345C19AA5BFD0DF86280F0D84BAD84CC65A2DE29D546C701

Function 00007FF8485D0220 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0465654aa01b815d0596a13d7ffb3f44d75af968e4a06f49ed7324b6a75bea25
Instruction ID: 81f19528ce3198cd62746b16891f3bdf014ab31df26cdcd1b98a61177785fee7
Opcode Fuzzy Hash: 0465654aa01b815d0596a13d7ffb3f44d75af968e4a06f49ed7324b6a75bea25
Instruction Fuzzy Hash: 12F06925C1D18349FB6BB3244C4267A3AC0ABD02D9F9AD238CC68C11C2FB5C259F49CE

Function 00007FF8485CAB95 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ff0b5300efa2a811a751307a66392c441746bfcad73a7a00b196b199273946
Instruction ID: 6d0a23d2b61b4ada96181371cff075d069d4570736da823a9bb8949a03ce303c
Opcode Fuzzy Hash: 85ff0b5300efa2a811a751307a66392c441746bfcad73a7a00b196b199273946
Instruction Fuzzy Hash: 4EF0F03190D74C5FE765E7108C15BEA7B61EF52310F0101ABD04DE3182DA646C888B92

Function 00007FF8485C0C60 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b8933032d036061a53b8b446ebc16cfb0bddbfcb44e48734ecffe6b96e2e52
Instruction ID: 33e80305960fe863567c4485b8597d18da91049f89347d67c3a0f9c4482d7eb7
Opcode Fuzzy Hash: f3b8933032d036061a53b8b446ebc16cfb0bddbfcb44e48734ecffe6b96e2e52
Instruction Fuzzy Hash: 66F0F020A1C8494FEBA4FB2C984466036D1EF59320B9608B6E939C72E2DE14DC449786

Function 00007FF8485C3F0D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c1aa495d0be4f721b38580167bd7dcc6b349dffd987e09a199bf78f3c63f84
Instruction ID: 19056ca76ce2ac91b9731720fb0d95ea6889730b7d216587202e5e9e030d4472
Opcode Fuzzy Hash: f7c1aa495d0be4f721b38580167bd7dcc6b349dffd987e09a199bf78f3c63f84
Instruction Fuzzy Hash: 5CF0A07288D28C6FCB2667202C034E67F78DE02250F0A0197F46886482D65E126687A6

Function 00007FF8485CC458 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f494ae044410a8df0f80cb15d554b13057d8e361ff460760f93230b4cabc080
Instruction ID: db808f8c5ced2691d9b1c9869e615b144c9fea17b60a7c4c63639b7323fdc90e
Opcode Fuzzy Hash: 4f494ae044410a8df0f80cb15d554b13057d8e361ff460760f93230b4cabc080
Instruction Fuzzy Hash: 3CF0E922D1ED8A7EE2C9BE2828522F8B5A1FB54651F0841B9D41DC71C7EE4C2C544746

Function 00007FF8485C3DCD Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b674e728064e62eb586718f7baf3a8b9474df42313e3ad575ebe185275f2611
Instruction ID: bad749809ba0ac64b8fb5d1c51561ddb7a2b7016d02b761f422754e7bad5e376
Opcode Fuzzy Hash: 3b674e728064e62eb586718f7baf3a8b9474df42313e3ad575ebe185275f2611
Instruction Fuzzy Hash: 4CF0547984D6CD9EDF727F385C420F57F60EF42284F4505E6E5AC46083DB9962288B86

Function 00007FF8485CED40 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3d5c1aaf87323e6fd58f60193c17ca2c3398198fb325da330daa15ef56f191
Instruction ID: dce1486244062d073568b193d0d5b717fabdf4d751a60f61e9b9e1025baccd8e
Opcode Fuzzy Hash: cb3d5c1aaf87323e6fd58f60193c17ca2c3398198fb325da330daa15ef56f191
Instruction Fuzzy Hash: 2CF01231514A0C9F8F04EF19DC49CEA7BA4FBA9355B01112BF40DD3160DB21A854CBD5

Function 00007FF8485D101D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f327950b896043afbb7d80af3e17530339d473a94c8cae9f1aca25910cf65df
Instruction ID: c1a9d6a6a87c037afa1039bb88ec8ac86971f5220872d3e2e8bb8ad5d550fb62
Opcode Fuzzy Hash: 8f327950b896043afbb7d80af3e17530339d473a94c8cae9f1aca25910cf65df
Instruction Fuzzy Hash: 11F0A02194DAA00FE769AB2458667A6BBE1FF46240F0940E9D499C7193CB9C39468742

Function 00007FF84877077E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e8c87cb37b84907729f7f8167f11e06709eca9bb0f8cd6ddf584cf3bc5ede3
Instruction ID: e0785becc1435258ae10eb0fc41a7ad85187993d95673151a75ecf100a604d33
Opcode Fuzzy Hash: 58e8c87cb37b84907729f7f8167f11e06709eca9bb0f8cd6ddf584cf3bc5ede3
Instruction Fuzzy Hash: A8F0C93130C9098FDA98FB0CE454E54B3E0FF6832171501A6E05AC7276D722EC92CB84

Function 00007FF8485CBA80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc513f786906c515be6ab10520d6e6de448614cae63f7f948cadf59cfdbb2131
Instruction ID: 422a1c5fd357dba61b8add3595ef3d752b7dfb9837b8b5527993ef4f3392ec36
Opcode Fuzzy Hash: dc513f786906c515be6ab10520d6e6de448614cae63f7f948cadf59cfdbb2131
Instruction Fuzzy Hash: 0CF05C22D0EC8E3ED188BF2C18562F9B4A1EF98351F0841BAE41EC31CBED0C2C414B4A

Function 00007FF8485C19D9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606b64064d401d888334bf4c7fa4c7dd4120da2b06ceb1e37edae5ab943a648d
Instruction ID: 55176d0f0ca7a717cb18ad9d251ebc1fa9c86aea0a2bc6392cfdbcdabcb2edde
Opcode Fuzzy Hash: 606b64064d401d888334bf4c7fa4c7dd4120da2b06ceb1e37edae5ab943a648d
Instruction Fuzzy Hash: 91E0207690D94C5F9B44BB597C158F6BFD8FB85328F01019EE45CC3152D2116412C355

Function 00007FF8485D01B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd68a1806707b344d2e3fdc40d9e3b55a3ea08bb7bbc3e3f023b475b6133925
Instruction ID: 281eb5a1783be5cc73c3bac79ca29ae1c4bff315387148a61dd8e091fff338c6
Opcode Fuzzy Hash: 2dd68a1806707b344d2e3fdc40d9e3b55a3ea08bb7bbc3e3f023b475b6133925
Instruction Fuzzy Hash: 95E0E530D1CA154BEB90F73468056F9B7C0DF84394F09087AEC1CC22A5ED2DD9824685

Function 00007FF8485D0D2B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba1a09ac14c5c7af89688e26188e31387085a33ebe39415f5bc3ac9595897b0
Instruction ID: 5974c36d152839727dc4cd77623952d0c233bc0c8f6bad8b3776500ba70eb328
Opcode Fuzzy Hash: aba1a09ac14c5c7af89688e26188e31387085a33ebe39415f5bc3ac9595897b0
Instruction Fuzzy Hash: 75E0223280D94C8FCB00BB9AAC486DA7BA8FB9A318F06006AE80CC2090C7255485C715

Function 00007FF8485CBF5F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7861f9ba168dd01b181fd4784940686092a7bf6772e03287c84819bf334ed8fe
Instruction ID: 891e5e7d8091e5f8904c3a161bb3fe8b6cdc1be47fb455f6b18a8a7e4c507517
Opcode Fuzzy Hash: 7861f9ba168dd01b181fd4784940686092a7bf6772e03287c84819bf334ed8fe
Instruction Fuzzy Hash: C8E09251F1DC190FF699F73C28261BD26D2FFD4AD1B4500B9D05DC728AEE2859038A4A

Function 00007FF8485C1108 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49098893b1f329fc7dafb21a30701dc27a28e9cc07c0b6b9c0a489c0708c98d
Instruction ID: ea9681f6acc651edd9a250855217bdfa291d06122960ee6aa28290051afa9013
Opcode Fuzzy Hash: b49098893b1f329fc7dafb21a30701dc27a28e9cc07c0b6b9c0a489c0708c98d
Instruction Fuzzy Hash: 45E0DF31C8CA4C8FCB54FB29AC003D83BB4FB8C318F461169D05CC3181E7295595CB09

Function 00007FF8485C4ED1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f907124435493062fe704b169d9c141799ea111164e52eb7f795f13fa5747e3c
Instruction ID: a4b254786666953f19d0f96d64a0fbb594a9e839bd058f2a5f2819ed18e6de0b
Opcode Fuzzy Hash: f907124435493062fe704b169d9c141799ea111164e52eb7f795f13fa5747e3c
Instruction Fuzzy Hash: C5E0657050C6858FE6B5FB088851E787BF1EF95390F0204BAD0ADC76A6CF24A8448B05

Function 00007FF8485D6859 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c8d849c2712c2a4e7ce3be429170de086df0bf460ee4166a6dc18bc6ca32a2
Instruction ID: ff8bead35c51762e677a27b048b7a78e61a439f76e2dfa1038c2fdd533826116
Opcode Fuzzy Hash: 36c8d849c2712c2a4e7ce3be429170de086df0bf460ee4166a6dc18bc6ca32a2
Instruction Fuzzy Hash: EDE0D832C0E68C5FC701ABE09C159D97FE0EF42240F454192E05886043D71C911887A1

Function 00007FF8485C3384 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78c5d3583b5f96a9fb51fa85e78922399ebde40d0783eb589fad4e1139c27d4
Instruction ID: 6ed5e3e36a3f2cda419cf9b7af8f4f590f87db53e9012ba9fbfb72827028e0b7
Opcode Fuzzy Hash: f78c5d3583b5f96a9fb51fa85e78922399ebde40d0783eb589fad4e1139c27d4
Instruction Fuzzy Hash: 79D01253B0E95A8FE558B36C3C060F46390E745AE1B1145BBC049CB182ED05280986D5

Function 00007FF8485C3E0D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2fb3fc39646b7159335680e97a4a7bf47e916584bc1e13c33f5976638e22b1
Instruction ID: 86620a0e8d99f7533413f210be6c39c6a960a4ad0137e2cd4021180d0a162566
Opcode Fuzzy Hash: 9d2fb3fc39646b7159335680e97a4a7bf47e916584bc1e13c33f5976638e22b1
Instruction Fuzzy Hash: B1E0C23280D7CC4FDB61AF188C120D87F60FF41200F8602D7E5188B083D72991288782

Function 00007FF8485C49D6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f76f7e4cf5b9ffec35b0f3db815201abebd9ad31de64f3c3c461b510c9c76b3
Instruction ID: 67dabe0dc891ed9f4e53d298dad39dd41ef5adcc661ca8d783f68cd84bce9e31
Opcode Fuzzy Hash: 4f76f7e4cf5b9ffec35b0f3db815201abebd9ad31de64f3c3c461b510c9c76b3
Instruction Fuzzy Hash: 82E0123051C681CFE314BF14D840A6A77F6FF86305F11853AE45E87299CB3AE8418E09

Function 00007FF8485CAC4B Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e8a42dd21ca82d0185a393abb81d09c63cdeaa001867664b3d494bc3bcfd24
Instruction ID: d3d524219d4144e28ba2fb5915bcd9800c6fc1eff70051f0922519b63e7d8426
Opcode Fuzzy Hash: 65e8a42dd21ca82d0185a393abb81d09c63cdeaa001867664b3d494bc3bcfd24
Instruction Fuzzy Hash: 4ED0126091C105DEE328AB34000067E5591AB083D0F724674E13BC72C5DE75D4035688

Function 00007FF8485CC546 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a459d26cb73e84c6e65c972de9d85bb3e5f214a0b726dbbadbf780e5c925b80
Instruction ID: c56bcdb2b67a25385fcd399b42930f65428e200cfbebb192d40612ea26851dcb
Opcode Fuzzy Hash: 6a459d26cb73e84c6e65c972de9d85bb3e5f214a0b726dbbadbf780e5c925b80
Instruction Fuzzy Hash: A1D0C93044D3428FE369A73C84505B537F09F06391F1204BAC0598E091CB3F7C819E56

Function 00007FF8485CABF3 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3fe251851465931d358e6fb280e4602e2c22c25a0a6960de2d9c872885b764
Instruction ID: 3a5ce5f531fa9b056f35f6f2d2e61ca745bc8ada40095e738ed429e81b66f187
Opcode Fuzzy Hash: 7e3fe251851465931d358e6fb280e4602e2c22c25a0a6960de2d9c872885b764
Instruction Fuzzy Hash: 95C09261C0C41A8EE325B7A04C605FE6691AF483C4FA78571D03BF6086DEA82600AD89

Non-executed Functions

Function 00007FF8485CE146 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b154575eab6ccdb3238f74a69099205e383f5a4309d6e5a35b02ebb1de92ebd3
Instruction ID: 0d24034b5b4e8ac4d15b21e4f9d5fefec1ffba96067d8631b6f5d178c8199e51
Opcode Fuzzy Hash: b154575eab6ccdb3238f74a69099205e383f5a4309d6e5a35b02ebb1de92ebd3
Instruction Fuzzy Hash: B7913312D0E7D35EE703A77868660E97F60DF53298F0A41F7C4A88A0D3ED09785687A6

Function 00007FF8485CE178 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378bf4ace99c4dea6858c0c56125cc39a8778739922194783cb2c2ac193ed898
Instruction ID: 1970d2e86c34d373531e63e7bbf947aded326883e239a6b83c7677e4a2dfdd01
Opcode Fuzzy Hash: 378bf4ace99c4dea6858c0c56125cc39a8778739922194783cb2c2ac193ed898
Instruction Fuzzy Hash: B0914412C0E7C35ED703AB7C68660E97F60DF53299B0E41F7C4D84A093ED08785A87A6

Function 00007FF8487712D0 Relevance: 5.3, Strings: 4, Instructions: 258COMMON

Download Yara Rule

Strings

PauH, xrefs: 00007FF84877149D
PauH, xrefs: 00007FF848771341
PauH, xrefs: 00007FF8487713E6
1, xrefs: 00007FF84877146B

Memory Dump Source

Source File: 00000006.00000002.2479942821.00007FF848770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848770000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 1$PauH$PauH$PauH
API String ID: 0-2090226886
Opcode ID: 2bf7afa5bec4e93ea7705874b7ea5d849423dfb636053bd85c6e70e0dc30e011
Instruction ID: 9fdd7d7c15c1d1138bdb44a6e909c352d7f1052aa9222de2bc43d61acee8a247
Opcode Fuzzy Hash: 2bf7afa5bec4e93ea7705874b7ea5d849423dfb636053bd85c6e70e0dc30e011
Instruction Fuzzy Hash: 7271F231A0DA898FD798EB2C886553477E1FF5AB90F0401BAD44EC7293DA24FC41C799

Function 00007FF8485C0AFA Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

39, xrefs: 00007FF8485C0B86
!;9, xrefs: 00007FF8485C0B7E
9M_^, xrefs: 00007FF8485C0B01
"C9, xrefs: 00007FF8485C0B76

Memory Dump Source

Source File: 00000006.00000002.2478318140.00007FF8485C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8485C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8485c0000_CodeTwo Active Directory Photos.jbxd

Similarity

API ID:
String ID: 39$!;9$"C9$9M_^
API String ID: 0-3704222848
Opcode ID: edb5c44fb1fad5073d6c22c344287126fb40fd497daf5947dcbf799f904ca55c
Instruction ID: c72d7bf1d0df492f8abdb308e781c8d79c55169b9d22329d9db3a45c29192bfe
Opcode Fuzzy Hash: edb5c44fb1fad5073d6c22c344287126fb40fd497daf5947dcbf799f904ca55c
Instruction Fuzzy Hash: BE119427B2BD2E9B96007A7DB8410FDB3C8DBEA27BB4803B7D204C6143ED52744686D5

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report C2ADPhotosSetupEN.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\431a49.rbs

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2.Common.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.AD.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Common.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2ADPhotos.Controls.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2WinUI.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Common.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\C2Wpf.Controls.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.exe.config

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\HomePage.url

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\Data\User's manual.url

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Common.2.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Html.2.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.MessageComposition.Lib.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Placeholders.2.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.RulesProcessor.2.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\ER.Shared.Settings.2.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\TXTextControl.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151rtf.dll

C:\Program Files\CodeTwo\CodeTwo Active Directory Photos\tx151tls.dll

C:\ProgramData\MSI Cache\{C1FB6A80-5028-4922-AF16-C3A9EC1C5379}\C2ADPhotosSetupENx64.msi

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeTwo\CodeTwo Active Directory Photos\CodeTwo Active Directory Photos.lnk

Windows Analysis Report
C2ADPhotosSetupEN.exe

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**