Edit tour

Windows Analysis Report
accessdatabaseengine.exe

Overview

General Information

Sample Name:	accessdatabaseengine.exe
Analysis ID:	1343624
MD5:	ee45577303d58f80e94a796a500501ea
SHA1:	be8239b158de88d29bccccc2ac6cc5c82181f8ca
SHA256:	adc0504656f390d225530ac09f1fc2113295c4f9baeffea1e983fecf4ac960f0
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	47
Range:	0 - 100

Signatures

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

accessdatabaseengine.exe (PID: 6888 cmdline: C:\Users\user\Desktop\accessdatabaseengine.exe MD5: EE45577303D58F80E94A796A500501EA)

cmd.exe (PID: 2936 cmdline: C:\Windows\system32\cmd.exe /c .\setup.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

installucrt.exe (PID: 7056 cmdline: InstallUCRT.exe MD5: 8FACCEDFD9DFE2D28E2AC6E3F6B35616)

msiexec.exe (PID: 3568 cmdline: msiexec /i AceRedist.msi MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7180 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7224 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3C96B4C68482B32F81AFDC1DEE152456 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0004436D CryptAcquireContextA,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,GetLastError,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,GetLastError,__CxxThrowException@8,

Compliance

Uses 32bit PE files

Source: accessdatabaseengine.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: accessdatabaseengine.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: accessdatabaseengine.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdbnst.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: accessdatabaseengine.exe, 00000000.00000002.1845410875.0000000000041000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\ocfxca.pdbxca.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: MSIF7B6.tmp.4.dr
Source:	Binary string: P:\Target\x86\ship\ace\x-none\installucrt.pdb source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\ocfxca.pdb source: MSIF7B6.tmp.4.dr
Source:	Binary string: nst.pdb source: accessdatabaseengine.exe
Source:	Binary string: crt.pdb source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdbnst.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 source: accessdatabaseengine.exe
Source:	Binary string: P:\Target\x86\ship\ace\x-none\installucrt.pdbcrt.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdb source: accessdatabaseengine.exe
Source:	Binary string: xca.pdb source: MSIF7B6.tmp.4.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

System Summary

Uses 32bit PE files

Source: accessdatabaseengine.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Detected potential crypto function

Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006719F
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0007342C
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006A4A2
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006E51C
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_000675D4
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006A6D1
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006688B
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_000738CD
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00067A09
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00066D87

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 00054661 appears 44 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 0006E8DE appears 61 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 000644E9 appears 31 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 00063B38 appears 37 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 0005B07A appears 608 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 00055B9B appears 58 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 00055E5F appears 32 times
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: String function: 00063B6C appears 86 times

Sample file is different than original file name gathered from version info

Source: accessdatabaseengine.exe, 00000000.00000002.1856098588.0000000000094000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs accessdatabaseengine.exe
Source: accessdatabaseengine.exe	Binary or memory string: OriginalFilename vs accessdatabaseengine.exe

Tries to load missing DLLs

Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

File read: C:\Users\user\Desktop\accessdatabaseengine.exe

Jump to behavior

Source: accessdatabaseengine.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\accessdatabaseengine.exe C:\Users\user\Desktop\accessdatabaseengine.exe
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c .\setup.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe InstallUCRT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i AceRedist.msi
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3C96B4C68482B32F81AFDC1DEE152456 C
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c .\setup.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe InstallUCRT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i AceRedist.msi
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3C96B4C68482B32F81AFDC1DEE152456 C

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\InProcServer32

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0005D6EB GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetLastError,GetLastError,GetTokenInformation,GetLastError,_free,AllocateAndInitializeSid,_free,EqualSid,FreeSid,_free,GetLastError,__CxxThrowException@8,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,CloseHandle,

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp

Jump to behavior

Source: classification engine

Classification label: clean4.winEXE@12/12@0/0

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00054A33 __CxxThrowException@8,CLSIDFromProgID,CoCreateInstance,

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0005D32E GetDiskFreeSpaceExA,_free,

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00047E9B __EH_prolog3_GS,char_traits,_free,CreateToolhelp32Snapshot,Process32First,_free,_free,_free,_free,Process32Next,CloseHandle,_free,char_traits,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00053E30 FindResourceA,LoadResource,LockResource,SysAllocString,GetLastError,__CxxThrowException@8,

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

File created: C:\Program Files (x86)\MSECache\AceRedist

Jump to behavior

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Command line argument: Kernel32.dll

Source: accessdatabaseengine.exe

String found in binary or memory: <LaunchDirectory>$(PATCH.EXTRACTPATH)</LaunchDirectory>

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE /OLE file has a valid certificate with Microsoft as Issuer

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Submission file is bigger than most known malware samples

Source: accessdatabaseengine.exe

Static file information: File size 81621424 > 1048576

PE / OLE file has a valid certificate

Source: accessdatabaseengine.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: accessdatabaseengine.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: accessdatabaseengine.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: accessdatabaseengine.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdbnst.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: accessdatabaseengine.exe, 00000000.00000002.1845410875.0000000000041000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\ocfxca.pdbxca.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: MSIF7B6.tmp.4.dr
Source:	Binary string: P:\Target\x86\ship\ace\x-none\installucrt.pdb source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\ocfxca.pdb source: MSIF7B6.tmp.4.dr
Source:	Binary string: nst.pdb source: accessdatabaseengine.exe
Source:	Binary string: crt.pdb source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdbnst.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004 source: accessdatabaseengine.exe
Source:	Binary string: P:\Target\x86\ship\ace\x-none\installucrt.pdbcrt.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: installucrt.exe.0.dr
Source:	Binary string: P:\Target\x86\ship\ses\x-none\opatchinst.pdb source: accessdatabaseengine.exe
Source:	Binary string: xca.pdb source: MSIF7B6.tmp.4.dr

PE file contains a valid data directory to section mapping

Source: accessdatabaseengine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: accessdatabaseengine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: accessdatabaseengine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: accessdatabaseengine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: accessdatabaseengine.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_0006452F push ecx; ret
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00063B09 push ecx; ret
Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Code function: 3_2_00EC1CC0 push ecx; ret

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	File created: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0005D8F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00076EB4 VirtualQuery,GetSystemInfo,

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: accessdatabaseengine.exe

Binary or memory string: jVMCi3

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_000642AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00072493 GetProcessHeap,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0006D9DC mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_000642AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00064438 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00063C70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\accessdatabaseengine.exe	Code function: 0_2_00068E71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Code function: 3_2_00EC1BD1 SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Code function: 3_2_00EC1A78 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	Code function: 3_2_00EC167A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe InstallUCRT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i AceRedist.msi

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_00064544 cpuid

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0006419F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_0005D636 GetVersionExA,KiUserCallbackDispatcher,CreateFontIndirectA,

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\accessdatabaseengine.exe

Code function: 0_2_000421AF __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	26 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
accessdatabaseengine.exe	0%	ReversingLabs
accessdatabaseengine.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	0%	ReversingLabs
C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp	0%	Virustotal	Browse

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1343624
Start date and time:	2023-11-16 15:23:17 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	accessdatabaseengine.exe
Detection:	CLEAN
Classification:	clean4.winEXE@12/12@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Access database engine 2016 (English), Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Access database engine 2016 (English)., Template: Intel;1033, Revision Number: {ABDBC73F-19BF-4432-8F10-8E87CAF91E24}, Create Time/Date: Wed Jul 15 23:04:08 2020, Last Saved Time/Date: Wed Jul 15 23:04:08 2020, Number of Pages: 405, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2921.0), Security: 2
Category:	dropped
Size (bytes):	77176832
Entropy (8bit):	7.995793587140178
Encrypted:	true
SSDEEP:	1572864:w0GoiigfTsEmQ6FIJEFa+T1s2Lt5JfDgV1nTMJHH0+d3+LTypRokHeOeL1S8vQSX:w0Go2rG/r44mMDgV1T2003+SpD+J48jJ
MD5:	372681321BF5C2AE3DB949C6A14CD023
SHA1:	35EBF9380F94BCC7DF4930D80693C6FE531ECDC6
SHA-256:	E8C982C5F0D34216FB424F3917A0274F7A984EE7002650D3A85647A8C17CCF00
SHA-512:	135A486DF41638C18FB3A6C91563CC86B244FE5AFFFF0C4AFEAF8F313B39ED0AF69855C85C27FD1E5DC5DF0C4F05FF32AF10A483D46199A9C4C246AC6D70F710
Malicious:	false
Reputation:	low
Preview:	......................>.................................................................................... ...$...(...,...0...4...8...<...@...D...H..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MSECache\AceRedist\1033\catalog\files.cat

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	data
Category:	dropped
Size (bytes):	94233
Entropy (8bit):	5.245516710866081
Encrypted:	false
SSDEEP:	768:cKKk51yfju8f9rV8okXeaWQng/cEN5+Ru3RTG:0kWfj3tV99apMI8G
MD5:	E432E55D8A6F3BEC4EF7C6CE679485FB
SHA1:	F86EBCDEF3B555671E77017808CA17E3C645CD50
SHA-256:	23751A23A4CE398729D3BD42DE9FE6C03C1D56290BB73728C96541FB530AEE84
SHA-512:	DD0CC98E6C51686CD67E2FEB7ADD316A241E01E463E7424AF119764A7D98CC33E1272B0C09234EC4804CD5D0F030483510B1E84ED071D7454AD65DDA65AA1D45
Malicious:	false
Reputation:	low
Preview:	0..p...*.H.........p.0..o....1.0...`.H.e......0..L...+.....7.....L.0..L.0...+.....7.....\|NJ.i..O...(.=..200715213550Z0...+.....7.....0..L`0....R0.0.B.8.B.F.0.8.5.7.1.4.4.4.8.4.A.9.6.7.9.6.9.1.2.9.B.9.F.F.A.E.3.7.9.A.3.3.0.E...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+............W.D..g..)...7.3.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.1.8.F.D.6.D.4.C.3.9.3.5.8.7.6.5.D.D.F.2.5.6.9.D.2.4.9.F.4.A.5.F.7.3.5.5.0.D.B...1..0E..+.....7...17050...+.....7.......0!0...+.............Xv].%i.I...5P.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.1.C.D.2.C.2.F.F.D.9.6.4.D.A.0.2.D.E.5.8.F.F.5.4.9.4.6.A.4.E.9.4.6.8.6.B.7.2.9...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+..........,/..M.-..IF..F..)0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.2.B.1.5.4.F.5.C.4.2.2.1.5.6.2.B.5.0.7.3.A.C.7.0.9.

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows6.1-kb2999226-x64.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 1010734 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.1-KB2999226-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 32 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1026422
Entropy (8bit):	7.9987231732061
Encrypted:	true
SSDEEP:	12288:Jq9iNvL2JqHc3brJhfv1xnS35yVmjy6U8iGSk/DZquYIT7Ktw225e3lhMQf4uJiM:4oijHH7qyVmm6U1GjLQuxTh22wkQfTJj
MD5:	EC7E4B085F9C4A2750AC806AF5C2BADD
SHA1:	94E1D328D6ED02A890CE3A0AF452367C7C8073CD
SHA-256:	0E35214F66A005CECCDF400609A66A2177BB7F79F1055CEB1863AA300ABCB3B3
SHA-512:	06051E86C31AACD627644688C5EDAF4610700F2B00575DB583BBE8DC7F8B0DC885A0CE2662E86E990A86B27292FDB293A8E4826F970E9EC353D1D472982DE41F
Malicious:	false
Reputation:	low
Preview:	MSCF.....l......D............................l..H=.............. ..............FnT .WSUSSCAN.cab.U..........FrS .Windows6.1-KB2999226-x64.cab.....]......F.S .Windows6.1-KB2999226-x64-pkgProperties.txt.....1......F.S .Windows6.1-KB2999226-x64.xml...u....CKu.uX...6..,...,......K.. .tIHJ....(..._TP..X...C...y.=.{......s....}>.}..##.u............B.......]...K........J. .....{N..../[...N.B..v..wM....hs4:Y.......w..@....P.....\\f..U....8!.4...{..Wi....!Y..o.r............gS+;.k.._.c...5e.G.q....~S.h...~.E2.P...I......@._.kr..2.g8..sH.u....f..I..P.j.).3{...R.:....3.[......jww......@............2..1.......dC...B........@.....%`]..*.E.j...2..o....F^1OZQ..\....E........<.(.;.m.e.K..][....k...ESMY..P..5.K..w..e..ia..4k.yX.P......`..#.`..u.>kM..InA..&....H..?..c.U...).J.r...t<....'....H8.,9.T.3.N..S.`..a..SM...N.,BR....o.A......6jF....2=.p.........2..Q%.3`."Bis7.T......C....';..>...{\|.{....e"VyN.,..2.p{+..w@.E..@.p...<.............A......y..il_(.....V.

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows6.1-kb2999226-x86.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 606298 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.1-KB2999226-x86.cab", flags 0x4, number 1, extra bytes 20 in head, 19 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	621986
Entropy (8bit):	7.998474580372414
Encrypted:	true
SSDEEP:	12288:1WKtA7gXMcb8kwxo3aWjofJhpvSiFS3TrCZaNOfeRzXGecoNk:1HQgXRb8sqWjofHtmroAO61coNk
MD5:	8104CD9A9BB67E0C8C41EA7ED7A793D9
SHA1:	FF2C01D05BABCAAFECBD62D28EEA57315F0E70BA
SHA-256:	44D2966D60CBB7CFC7538BF1AB4AC14C69247CF4A26A875A80FA71EFAA5CA9A8
SHA-512:	FC1307F5394320CB8E9CB8B3FEF66FC4EB868CE48BD4F325AB11545A4745AD082790EEAAB94294C236E3ECEFAD09170B4B9AEF9670933567D04D6A252EECAA2C
Malicious:	false
Preview:	MSCF....Z@......D...........................Z@..H=..................v..........FnT .WSUSSCAN.cab.)...v......FrS .Windows6.1-KB2999226-x86.cab......q.....F.S .Windows6.1-KB2999226-x86-pkgProperties.txt.....Zs.....F.S .Windows6.1-KB2999226-x86.xml..9..j...CKu.wTS.....B @B.=......-tD...tDAA@E@ ...z.. U.(H.iRBGD. .."MJ.............\|f...{O......K2........_.... .........:...79..t.0..S..........t......='g..............!......H..Y....)2lZ2.F...Q~E.?[[.k..sX..$...._...(.)......d....9..3........r..@.2.i..R(/Q.`\|....^U....g.k.....)p...%...X..4.~..),\|/zR.;]....a...E.....8.........Fv. ......M<..........wK......\|..a^.W...x.....b.P.G'..Zc.....b/.."h...8.]...]43.`........BNIE....7k4..../....q.......,..\\y.....<P6...RT.0K.3E.r..oq.......s#.M..e.R..@..)-..D.$8'-...U.r..h#........6Py.=.xD.i...4WF...eA.2.=......x.B.....:t{.2...3...-9".e........T...b..h}..B..f,.6.D_...e..j.;....._x.S.....xU.....wp..._9.=..4...C[$2X...PW5...9."Zi.Xk.f.7e.@...Q....fv.2..tK.7..e....Z/6c.5.ga._.w

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8-rt-kb2999226-x64.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 1331942 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows8-RT-KB2999226-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 42 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1347630
Entropy (8bit):	7.998547158129164
Encrypted:	true
SSDEEP:	24576:XdF1DdUhvOREGhRm23URJfAFnrfTduwTt2KBBDTSaE8K9cdNhp3+Nheuf:zUhW7RaRFAHlZBXSYK9cFp3Q1
MD5:	AC2FE82ECC98A903000CC1618A8F2EC0
SHA1:	A0BA63001E7E7EE8B85F8FD0F436C3BEAB40A896
SHA-256:	30CF93BB05B42A996C8AC9FA071ADE28B5E37DF86B413B3F5E0A62D3E4FB32F4
SHA-512:	9B542ED3685909093E6D7D8783DEBBE058271D5CA47133BFFBBFCD437EE842EEF18B9FEF3D2AC6516DDBB668BB84F1C8AF6185074844A786F697B8A7DE619D80
Malicious:	false
Preview:	MSCF.....R......D............................R..H=............................F. .WSUSSCAN.cab.}..........F.. .Windows8-RT-KB2999226-x64.cab.....7......Fd. .Windows8-RT-KB2999226-x64-pkgProperties.txt............Fd. .Windows8-RT-KB2999226-x64.xml.-2......CK}.c.0M.-.m..m.m.m.m.m..=.~.?o%S.Lz..VV..32JB..........................=...#....M.............j...`o`de`fBkd`...ef...._..?............ ...,.BL....gC...."...<.T........FS.i.R.I..$..$ll.....'v..gw..R=.A...v..S9..c..~c.O.O.h.>?.q.z....\.V.Ed.CT.:=..2Yd.....R#I0..5Ye..;................/..M_....:..@.R.+.a.w.&.....@......y.<...3.!T.@.I.y7.o\...{t...................+.]x-f.];...aW..F.(y.O.h.)...>.N.1E..~._E....L....-b..{TN..q......G.,..M..h.......x...f.=la.^D......f...a...`t...V.XU.D+...%^..Q.%S./.4...?.?1...6f P.G.pGS....>..$...gx;.......oM..z.:L....Je>.....X.}BW[.o)..q...V....%KLsI... w.w.`.}..`C?...]x..L#R.y...qT.s vk.,.Z^9.............4.C....t...kd.[......\.F!e...O5...=.qtGw....{8.L..\..d..4d2..-..:.

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8-rt-kb2999226-x86.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 599616 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows8-RT-KB2999226-x86.cab", flags 0x4, number 1, extra bytes 20 in head, 19 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	615304
Entropy (8bit):	7.9989497980666
Encrypted:	true
SSDEEP:	12288:Qeig4+EQMmu8YPppF1cokZTSawXSW4WPldJaYYqxqgQ+sXgmW9tL6stP60GSmFuF:Qek6MN8YN1cVA7emldJlYgQ+sXy9tL68
MD5:	37BF4A89437B3707B47E633BAADA69A9
SHA1:	208A3D26B0A8502A7BF8A00ECF2CA09BDDA50C41
SHA-256:	44D70F0BC55DBF5EFD85E2CE3DAE9CEEA976B6D4345550BA3F5ED46B149E52F4
SHA-512:	AF48C86659288DF2B1707464FB1EE5CF153723A760DF15305B19170A4E2980581C461223243EF4BC3566B17E6B513470BFD07CFB224F903BA78A11EA63128E58
Malicious:	false
Preview:	MSCF....@&......D...........................@&..H=..................(..........F.. .WSUSSCAN.cab.;...(......F.. .Windows8-RT-KB2999226-x86.cab.....c\.....Fd. .Windows8-RT-KB2999226-x86-pkgProperties.txt......^.....Fd. .Windows8-RT-KB2999226-x86.xml.t\.....CKu.w4...?.D$!A....l..Vm.j.EUm....VKm..U...1..UJk.M.........{.}.{........9............h...B........f.?O....U......J. c.....Z..}.0..;.'vN......b.?dt,.....,.,..........0......./.[..4}Ql....W......y)(d....}..A.Q@.%p.F...q.\|hKP..B.8...i....D..n.L....k....y.w....G.3=A..\|w...a......Z..)....ySS8Y\|W..p.....J`..qi..Q.^.....@B...iG......'.Gc..BX.... .3.BI.......,.._...+.._.{S.x5..%....%4.......M\...Ejh..o#....h@r..o.~r..<=-..p..2.:.?T..k....84..........E....b......y.[...ABm.....2..H7u.......3n.W.%-.......dk...,;.9"0.l.f5..h...'....I......S\|ZM..y..H..B.rrZ$.......J..Z..j_........1.l=..N....w...k.83 .g.h...p..*0.5.9.R{W.d.uSw[....?..E..<C..4.\....`.3.{q.......!.Y.p/.k..kv?......l...[.V=.2..z.n[]:9V..

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8.1-kb2999226-x64.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 978893 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows8.1-KB2999226-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 31 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	994589
Entropy (8bit):	7.998827659908068
Encrypted:	true
SSDEEP:	24576:GO8U2hupv+/qtZ9XGAKsH6o53SQuIT4b8J/u8Q0:GotQsQjI7J28Q0
MD5:	15DE25C6DAAF964612D44BDCA1781405
SHA1:	6B04E2AF72745BCB30D18EED08C7017877C446A7
SHA-256:	87F8A110309B57771BA8DC806C2B0D144AACA048A4AE24BFFB82D1D47C1BE448
SHA-512:	1B59085AA53076D9ED75BB2481D518ECF5626B44AFD6AD5A3226E6FD4D4C3CC518E5CF1C60B12820BF41D0AE671D004CC62C6A15CFB89F56CB3D373A48DD4802
Malicious:	false
Preview:	MSCF............D...............................P=..................T..........F-. .WSUSSCAN.cab.Q...T......F. .Windows8.1-KB2999226-x64.cab............F. .Windows8.1-KB2999226-x64-pkgProperties.txt.....q!.....F. .Windows8.1-KB2999226-x64.xml.8..{...CKu.wTS..5.N @B..P.." -..H.."% ....H..:HQ.D.Y@....HI..R..B(.{.\|..{....Z'.$..g.=..{.\..7..k'........O.... ....................9..@..o..FR0.?.[....n.......<...n....Q}.....C.d..v.....lq...zi..ObdnL.M..Y.=.L..~.o].-.c....W..v&...N.4M..o.Ua..ez..; .3.Ph.U.._y.U..;,.w.g.G.........obF...@..L\|..~.s3y0+.>...p......._.PhFA.uV{,.D...p.....0..........Am.x.*k........}.]....J...x&...(%%Sn<Z.%Ra....@.%.xG.?......9O.)./.."1.:..Kq..xt~..EG_P.>.eA.....B...0w.3=re..\|.%....x..Bn.......Ot....A.G....Tm.T...s....!.....J..v...6.....P.QS..B.h;D..2.d.j.S.{.(.zq.l....v.EZ....$."h!x...H.U........s27.0.6D.c.>Ef..4{.9.Iu%.&. ..?..R.^M............a..n.M...s....b.l..y....B..3..u.....k...l5,..:_a.....\|.......dT.7.s.6cOH.6.W.t.0....

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8.1-kb2999226-x86.msu

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	Microsoft Cabinet archive data, Microsoft Standalone Update, 580281 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows8.1-KB2999226-x86.cab", flags 0x4, number 1, extra bytes 20 in head, 19 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	595977
Entropy (8bit):	7.998836917558681
Encrypted:	true
SSDEEP:	12288:KE0axLVzfdkEgLboMH6ca6IUBqYPjd01KlKPYcXwjV0ax:Ual3g/jBJsz1KlKPYcY0ax
MD5:	28702C8CB02932B6762D10C8F4CC8846
SHA1:	2AD3572FC9DA39769BB9164A1B81D230802881C1
SHA-256:	E3FB639694AC40F981FE38A64F5BF9D0494C5643A6A97A242A091D3F2471E83B
SHA-512:	6D9143FDC5FF469BECBE5B05DD14C4641D077E21BCDF0C649F43CF714D2E2E729967AB10FEE0EE36F133042CEFAA43BA1037AD287F813B7991862C96D3E50F10
Malicious:	false
Preview:	MSCF............D...............................P=..................J..........F. .WSUSSCAN.cab..p..J......FZ. .Windows8.1-KB2999226-x86.cab............F. .Windows8.1-KB2999226-x86-pkgProperties.txt............F. .Windows8.1-KB2999226-x86.xml.^..\j...CKu.wTS.....'@....C......PDEAADz..P.tB.Z.\|.!......RB.A....P.I.....{.u....9m..=.......&..e.....`....0.... .w...G...c..........>....l.......n>.....\\."......$;.).4._.....+..@i..5.k....L.T......J1._p..jX..r.....'p....G.....r..#e{.#..N.l.m.F.y}..>.p.A....t.(......g...i.r%<...a"....}.Xis....1..&......\|....e>..K2i..K.YZ.....t...gN.....B....\E...@.U...(.E.......p\|!....+...>a..K...M...\|)..6.EG....6.D.....:9.8..h.p)...DY.I../........]....o..Zg4....x.?.N..<...09.......i^...>.[...D..C.^......&.i.......T*..M......M.@..a.ny3.?.w.t....:.H.s.......U....@..o2IM..J.......TtP.....S.5.(.A.4...k.x.c\|......IA....s..:...9.U..s.O...5R..Db.\R....~=."./........RQi.h.....hX....\|B+.....(%.6.f.}...1.....N9..#_..:Fg..I.....j

C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26288
Entropy (8bit):	6.944058381538313
Encrypted:	false
SSDEEP:	384:p6bBTWBMA/T/8+E2syj8od4Qam0GftpBjz9aQHRN7uRdliXhk:p6bBTWBXLpayfaVirLuAk
MD5:	8FACCEDFD9DFE2D28E2AC6E3F6B35616
SHA1:	FE4154D3AE894CE6AD7315442808BB163C544C09
SHA-256:	25A66B996641C6BE599D56FFDB986AA00684E8788A5C486CCF8DFC4EC57DA34A
SHA-512:	616CE34190DA326C48B9FE8DF38F6BB1FAC73E23F614F167746D1878051E642D92ED08FDE6BCAE53147EAB7E5D7A0641FD021EA16F8F78D6B3744C7B99A31852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f.Kt.FKt.FKt.F...FIt.FB..FGt.F.-.GHt.FKt.Fvt.F.-.GJt.F.-.GYt.F.-.GBt.Fk-.GIt.F.-.GJt.F.-.GJt.FRichKt.F........PE..L...c}.Z............................p........ ....@..........................`......%.....@.................................45.......................(...>...P......\|...T...........................X2..@............0...............................text............................... ..`.rdata..d....0......................@..@.data........@.......$..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MSECache\AceRedist\1033\setup.cmd

Download File

Process:	C:\Users\user\Desktop\accessdatabaseengine.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	340
Entropy (8bit):	4.920086840537824
Encrypted:	false
SSDEEP:	6:hAZoyG6LA/xZQmp2Qgh2WgOBJz20/F8/x8RgCLtQWiqKRLDe2FHo4ZtWr0yAzL4F:2ZokLA/QmEGOL20NqxiLtQXXw2lkwy+c
MD5:	41C3F185CEF1D5EBB14526B2F2AC8491
SHA1:	46525E9222AB18099FB1B1C8F4B909B2183A9749
SHA-256:	1D370A49832FB4D3F7CF6B016BCBF94817B9901370619D19962E1F02E2733F0C
SHA-512:	49CF1A2A825A01D8021E99EF3793DFD8645CBAFFEED055AFEDDD6A5E797B40538B4681D0C33F7F0E043A7E591943C179963D2014C0D224F809F80AEF15638172
Malicious:	false
Preview:	@echo off....REM Install Universal CRT if necessary..InstallUCRT.exe....REM InstallUCRT returns 0 for insalled, 1 for already_installed, 2 for failed..IF %ERRORLEVEL% equ 2 (...echo Failure installing Universal CRT. Aborting installation......goto :EOF..)....REM Install Access Database Engine Redistributable..msiexec %1 /i AceRedist.msi..

C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	561648
Entropy (8bit):	6.270748751330972
Encrypted:	false
SSDEEP:	12288:rOWQrCim1sioIuWoVL/g2jNHC/q5ByPMkpQ9E8rXII:aWQi1sVdxCyGP5e9E8rh
MD5:	DFD6ED950BE5CA4C70384F5E3BBDD937
SHA1:	B35A1DA4F5B99EF38AB3FB408AAD26950008566B
SHA-256:	1101BDE5130CEE43A0F1D6696E9D2F0B265DA6212808B84789126DEE104C9EF8
SHA-512:	14AA719FC0754240433AB124FD1A211EE4C6EA68ECC9D56108096EDD3B23B35B7F0B93F07749372294DB6FA852DBA2441FF2BD1D8E03C1D74FD19AE86D4B8354
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........:..i..i..iW%.i..iW%.il..iW%.i...i...h...i...h...i...h...i...i..i...i..iW%.i..iW%.i..i..ie..i...h..i...h...i...h..iRich..i........................PE..L......]...........!.........v......3........................................p...........@...................................d....................2..._.......Q......T...................l...........@...............\|...........................text...\........................... ..`.rdata..6...........................@..@.data....B.......D..................@....tls................................@....reloc...Q.......R..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIf824.LOG

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (417), with CRLF line terminators
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	3.407372385139798
Encrypted:	false
SSDEEP:	24:QG/LTWKwPFQ9gzhCWKwPmCo4gNiWlbkF/LTWKwP5iAK7GJHJNZqrq:1Tom9QlE4CiWlYFTo0A3ZJzqrq
MD5:	0EA5F5C36E9A6CB53E316409C6CAF5B4
SHA1:	650F89E746D732E41B2910D5FAE76EDFF406C065
SHA-256:	8FEF9B6DA06B8F9C9CE7E93C1737F0D57887B6AE1CB9B5D1B527CD877DE18B19
SHA-512:	CB99D2CA326B89A8CDCF178E27206CDEDE3951230B17B0E52B32D12C2B9BFF9381782FEAB76B7FAEAA4AA36371B7BF7C06065B9399264BDEE7624A1A3D2A1FEA
Malicious:	false
Preview:	..Y.o.u. .c.a.n.n.n.o.t. .i.n.s.t.a.l.l. .t.h.e. .3.2.-.b.i.t. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.a.t.a.b.a.s.e. .E.n.g.i.n.e. .2.0.1.6. .b.e.c.a.u.s.e. .y.o.u. .c.u.r.r.e.n.t.l.y. .h.a.v.e. .6.4.-.b.i.t. .O.f.f.i.c.e. .p.r.o.d.u.c.t.s. .i.n.s.t.a.l.l.e.d... .I.f. .y.o.u. .w.a.n.t. .t.o. .i.n.s.t.a.l.l. .3.2.-.b.i.t. .M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.a.t.a.b.a.s.e. .E.n.g.i.n.e. .2.0.1.6.,. .y.o.u. .w.i.l.l. .f.i.r.s.t. .n.e.e.d. .t.o. .r.e.m.o.v.e. .t.h.e. .6.4.-.b.i.t. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .O.f.f.i.c.e. .p.r.o.d.u.c.t.s... .A.f.t.e.r. .u.n.i.n.s.t.a.l.l.i.n.g. .t.h.e. .f.o.l.l.o.w.i.n.g. .p.r.o.d.u.c.t.(.s.).,. .r.e.r.u.n. .s.e.t.u.p. .i.n. .o.r.d.e.r. .t.o. .i.n.s.t.a.l.l. .3.2.-.b.i.t. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.a.t.a.b.a.s.e. .E.n.g.i.n.e. .2.0.1.6.:.....O.f.f.i.c.e. .1.6. .C.l.i.c.k.-.t.o.-.R.u.n. .E.x.t.e.n.s.i.b.i.l.i.t.y. .C.o.m.p.o.n.e.n.t. .6.4.-.b.i.t. .R.e.g.i.s.t.r.a.t.i.o.n.....=.=.=. .L.o.g.g.i.n.g. .

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999472471427351
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	accessdatabaseengine.exe
File size:	81'621'424 bytes
MD5:	ee45577303d58f80e94a796a500501ea
SHA1:	be8239b158de88d29bccccc2ac6cc5c82181f8ca
SHA256:	adc0504656f390d225530ac09f1fc2113295c4f9baeffea1e983fecf4ac960f0
SHA512:	4141a61d8750e9ce3f83b83db915f906c0475a5870641bc81273afb790db44191e127854c5755f65a57e98f7a1afdd7a0a0809db9072bb51456b9eac50538057
SSDEEP:	1572864:3WkjWtRiKiJdpUreMksYc8sOWEpOlag3/zSUoXCABkO6aqcAgkQAosc9ocBfhFCs:3WkjUBSASDWNn3/zDbKkOgcYDNXkJURC
TLSH:	7F083337BECC5778F46714309292BEE1987472914C028BA2D74DADAE8E13297E474FC6
File Content Preview:	MZ......................@................................P..............!..L.!This program cannot be run in DOS mode....$..........G;.{.;.{.;.{.....1.{.......{.....#.{...x./.{.....(.{...~...{.....9.{.....0.{.;.z...{...~.%.{.....:.{...y.:.{.Rich;.{........

File Icon


Icon Hash:	674e4f45a7297639

Static PE Info

General

Entrypoint:	0x42384c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5ACD07D6 [Tue Apr 10 18:52:06 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	ef12af5bb3a15a621e706212dd9cbd31

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	04/03/2020 18:29:29 03/03/2021 18:29:29
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	24D1E89B73500959D9996B5990E2A944
Thumbprint SHA-1:	644004FCA8E36FA9198CF061CC085B0A2E61CFC4
Thumbprint SHA-256:	82343FD97F607024D4AB3E86E84DCF894A6CE7C865978DA31A34DB5CA494BC16
Serial:	330000032548B29D0E7FC5F41F000000000325

Entrypoint Preview

Instruction
call 00007FDE6CB735F3h
jmp 00007FDE6CB72B25h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FDE6CB72CBBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FDE6CB72CACh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FDE6CB72CAEh
add edx, 28h
cmp edx, esi
jne 00007FDE6CB72C8Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FDE6CB72C9Bh
call 00007FDE6CB73AEBh
test eax, eax
jne 00007FDE6CB72CA5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 004530B4h
mov edx, dword ptr [eax+04h]
jmp 00007FDE6CB72CA6h
cmp edx, eax
je 00007FDE6CB72CB2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FDE6CB72C92h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FDE6CB72CA9h
mov byte ptr [004530D0h], 00000001h
call 00007FDE6CB73905h
call 00007FDE6CB77A74h
test al, al
jne 00007FDE6CB72CA6h
xor al, al
pop ebp
ret
call 00007FDE6CB7D4F8h
test al, al
jne 00007FDE6CB72CACh
push 00000000h
call 00007FDE6CB77A8Ah
pop ecx
jmp 00007FDE6CB72C8Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi

Rich Headers

Programming Language:

[C++] VS2015 build 23026
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4fdf4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x4a30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4dd5028	0x2188
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x4328	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a704	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x48d80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4f80c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39874	0x39a00	False	0.5118077209869848	data	6.526953765632785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x15c4c	0x15e00	False	0.3404464285714286	data	5.056954510740659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x2abc	0x2000	False	0.219482421875	data	4.323134706602226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x4a30	0x4c00	False	0.1826171875	data	4.054134379029584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59000	0x4328	0x4400	False	0.7360409007352942	data	6.64968467351381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5430c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.41397849462365593
RT_ICON	0x545f4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5641891891891891
RT_DIALOG	0x5471c	0xe4	data	English	United States	0.6491228070175439
RT_DIALOG	0x54800	0xe4	data	English	United States	0.6535087719298246
RT_DIALOG	0x548e4	0xfe	data	English	United States	0.6062992125984252
RT_DIALOG	0x549e4	0xfe	data	English	United States	0.6141732283464567
RT_DIALOG	0x54ae4	0x158	data	English	United States	0.5261627906976745
RT_DIALOG	0x54c3c	0x158	data	English	United States	0.5261627906976745
RT_RCDATA	0x54d94	0x3162	data			0.1292517006802721
RT_GROUP_ICON	0x57ef8	0x22	data	English	United States	1.0
RT_VERSION	0x57f1c	0x434	data			0.3141263940520446
RT_VERSION	0x58350	0x3b4	data	English	United States	0.4008438818565401
RT_MANIFEST	0x58704	0x32b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5191122071516646

Imports

DLL	Import
KERNEL32.dll	CopyFileA, MoveFileA, MultiByteToWideChar, Sleep, CreateThread, CreateToolhelp32Snapshot, Process32First, Process32Next, ReadFile, ExpandEnvironmentStringsA, SetEvent, CreateEventA, SetFilePointer, CreateFileW, DeleteFileW, GetTempFileNameW, WriteFile, GetTempPathW, CreateProcessW, ExpandEnvironmentStringsW, GetSystemDirectoryA, LoadResource, LockResource, FindResourceA, GetSystemDefaultLangID, GetUserDefaultLangID, GlobalAlloc, GlobalFree, GetModuleHandleA, CompareStringA, SetCurrentDirectoryA, GetCurrentDirectoryA, GetDiskFreeSpaceExA, SetLastError, GetCurrentProcess, CreateProcessA, GetWindowsDirectoryA, CreateFileMappingA, WritePrivateProfileStringA, SetFileTime, DosDateTimeToFileTime, VirtualQuery, VirtualProtect, GetSystemInfo, WriteConsoleW, FlushFileBuffers, SetFilePointerEx, GetConsoleMode, UnmapViewOfFile, MapViewOfFile, GetTempFileNameA, GetTempPathA, GetFullPathNameA, GetFileSize, DeleteFileA, CreateFileA, CreateDirectoryA, GetVersionExA, GetExitCodeProcess, WaitForSingleObject, CloseHandle, WideCharToMultiByte, LoadLibraryExA, GetProcAddress, GetModuleHandleW, FreeLibrary, DeleteCriticalSection, InitializeCriticalSectionEx, GetLastError, RaiseException, GetConsoleCP, GetProcessHeap, SetStdHandle, GetModuleFileNameA, LocalFree, GetFileAttributesW, IsDebuggerPresent, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, EncodePointer, RtlUnwind, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetStdHandle, ExitProcess, GetACP, HeapFree, HeapAlloc, HeapSize, HeapReAlloc, GetFileType, GetStringTypeW, GetFileAttributesExW, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
OLEAUT32.dll	VariantChangeType, VariantClear, VariantInit, SysFreeString, SysAllocString
ADVAPI32.dll	FreeSid, LookupPrivilegeValueA, GetTokenInformation, EqualSid, AllocateAndInitializeSid, AdjustTokenPrivileges, OpenProcessToken, RegQueryValueExW, RegOpenKeyExW, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, ConvertStringSecurityDescriptorToSecurityDescriptorW, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA
ole32.dll	CLSIDFromProgID, CoInitialize, CoTaskMemFree, CoCreateInstance
GDI32.dll	CreateFontIndirectA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• accessdatabaseengine.exe
• cmd.exe
• conhost.exe
• installucrt.exe
• msiexec.exe
• msiexec.exe
• msiexec.exe

Click to jump to process

Target ID:	0
Start time:	15:24:10
Start date:	16/11/2023
Path:	C:\Users\user\Desktop\accessdatabaseengine.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\accessdatabaseengine.exe
Imagebase:	0x40000
File size:	81'621'424 bytes
MD5 hash:	EE45577303D58F80E94A796A500501EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:24:13
Start date:	16/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c .\setup.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:24:13
Start date:	16/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:24:13
Start date:	16/11/2023
Path:	C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe
Wow64 process (32bit):	true
Commandline:	InstallUCRT.exe
Imagebase:	0xec0000
File size:	26'288 bytes
MD5 hash:	8FACCEDFD9DFE2D28E2AC6E3F6B35616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Analysis Process: msiexec.exePID: 3568, Parent PID: 2936

General

Target ID:	4
Start time:	15:24:13
Start date:	16/11/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec /i AceRedist.msi
Imagebase:	0xad0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:24:14
Start date:	16/11/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff710210000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Analysis Process: msiexec.exePID: 7224, Parent PID: 7180

General

Target ID:	6
Start time:	15:24:14
Start date:	16/11/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 3C96B4C68482B32F81AFDC1DEE152456 C
Imagebase:	0xad0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report accessdatabaseengine.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSECache\AceRedist\1033\aceredist.msi

C:\Program Files (x86)\MSECache\AceRedist\1033\catalog\files.cat

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows6.1-kb2999226-x64.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows6.1-kb2999226-x86.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8-rt-kb2999226-x64.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8-rt-kb2999226-x86.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8.1-kb2999226-x64.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\hotfixes\windows8.1-kb2999226-x86.msu

C:\Program Files (x86)\MSECache\AceRedist\1033\installucrt.exe

C:\Program Files (x86)\MSECache\AceRedist\1033\setup.cmd

C:\Users\user\AppData\Local\Temp\MSIF7B6.tmp

C:\Users\user\AppData\Local\Temp\MSIf824.LOG

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
accessdatabaseengine.exe